Is there a way to find unused/unsearched data in Splunk?
Example:
In an Index=XYZ we are ingesting 100GB of data on a daily basis.
Out of that 100 GB when we run queries we are retrieving 60GB of logs and the remaining 40GB never retrieved or never searched upon.
And using this scenario we can send those events to the NULL queue.
↧