topic Re: How to find all the searches having "index=*" in the search or Alert or Reports in Splunk Search

How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan — Fri, 31 Mar 2017 14:22:35 GMT

Hi,

Am fine tuning my environment, so i listing out the searches which are using index=* in the search. But as * is wildcard it is not filtering.
Below is the query

index=_audit action=search | convert num(total_run_time) |  eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"

Thanks in advance

Re: How to find all the searches having "index=*" in the search or Alert or Reports

adonio — Fri, 31 Mar 2017 14:32:26 GMT

Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps

Re: How to find all the searches having "index=*" in the search or Alert or Reports

alemarzu — Fri, 31 Mar 2017 14:35:56 GMT

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

Re: How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan — Fri, 31 Mar 2017 14:57:00 GMT

Thanks, but when put we search ="Index=*", it started listing out all the indexes again

Re: How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan — Fri, 31 Mar 2017 14:57:48 GMT

Thanks, its works for the saved searches, how about for the searches made adhoc

Re: How to find all the searches having "index=*" in the search or Alert or Reports

DalJeanis — Fri, 31 Mar 2017 15:00:30 GMT

remember to escape the * as \* if you are looking for that character rather than "anything".

Re: How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan — Fri, 31 Mar 2017 15:12:14 GMT

I used the below line from your query and got the required list.

| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")

Thanks Alemarzu

Re: How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan — Fri, 31 Mar 2017 15:36:09 GMT

Thanks, it working

Re: How to find all the searches having "index=*" in the search or Alert or Reports

alemarzu — Fri, 31 Mar 2017 16:10:45 GMT

Nice but be aware that the match function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")

Re: How to find all the searches having "index=*" in the search or Alert or Reports

karlbosanquet — Sat, 01 Apr 2017 12:40:35 GMT

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.

E.g.

Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.