topic Re: how to find index names from Splunk saved searches in Splunk Search

how to find index names from Splunk saved searches

arrangineni — Mon, 09 Mar 2020 20:11:28 GMT

How to find the indexes that the saved searches are running against? Few of my searches are not using index names within saved searches.

Re: how to find index names from Splunk saved searches

woodcock — Mon, 09 Mar 2020 22:01:02 GMT

It is EXTREMELY poor practice to search without specifying index values. When you do, the same search will behave differently for different users and also for the same users across time (whenever your Splunk admin decides to modify roles). You can see what your user is searching now like this:

| tstats count WHERE earliest=0 BY index

Re: how to find index names from Splunk saved searches

arrangineni — Wed, 30 Sep 2020 04:32:17 GMT

Thanks for the response @woodcock what I am also looking for is to identify index names defined in the search queries of saved searches. I am using below rest call to get the qualifiedSearch field from the saved searches using REST API and trying to extract index names out of it

| rest /servicesNS/-/-/saved/searches
| table title, eai:acl.owner, description, eai:acl.app, qualifiedSearch, next_scheduled_time

Re: how to find index names from Splunk saved searches

woodcock — Tue, 10 Mar 2020 14:18:11 GMT

this is WAY harder than it seems. I believe that @cmerriman did some work on this.

Re: how to find index names from Splunk saved searches

arrangineni — Tue, 10 Mar 2020 14:41:21 GMT

tried doing the rex for index name but seems it needs more fine tuning
| rex field=qualifiedSearch "index=(?.\w+)"

Re: how to find index names from Splunk saved searches

cmerriman — Tue, 10 Mar 2020 18:00:27 GMT

Thanks @woodcock

try this query:

| rest splunk_server=* /servicesNS/-/-/saved/searches f=title f=eai:acl* f=description f=qualifiedSearch f=next_scheduled_time search="eai:acl.app!=splunk_archiver" search="eai:acl.app!=splunk_app_windows_infrastructure" search="eai:acl.app!=splunk_app_aws" search="eai:acl.app!=nmon"
| table splunk_server title, eai:acl.owner, description, eai:acl.app, qualifiedSearch, next_scheduled_time | search next_scheduled_time!="" qualifiedSearch!="*index IN*"
| regex qualifiedSearch!=".*index\s*(!?)=\s*([^*]|\*\S+)" 
| regex qualifiedSearch="^\s*search "
| regex qualifiedSearch!="^\s*search\s*\[\s*\|\s*inputlookup"
| rex field=qualifiedSearch "^(?P<exampleQueryToDetermineIndexes>[^\|]+)"
|rex field=exampleQueryToDetermineIndexes max_match=0 "eventtype=(?<eventtype>[^\s]+)"
|join eventtype splunk_server type=left [|rest /services/admin/eventtypes splunk_server=* f=search f=title|table splunk_server title search|rename title as eventtype search as eventtype_def]
|eval eventtype="eventtype=".eventtype|eval exampleQueryToDetermineIndexes=if(like(exampleQueryToDetermineIndexes,"%eventtype%"),replace(exampleQueryToDetermineIndexes,eventtype,eventtype_def),exampleQueryToDetermineIndexes)
|replace *eventtype* with *eventtype_def* in exampleQueryToDetermineIndexes
| regex exampleQueryToDetermineIndexes!="\`"
| regex exampleQueryToDetermineIndexes!=".*index\s*(!?)=\s*([^*]|\*\S+)" | regex exampleQueryToDetermineIndexes!=".*tag\s*(!?)=\s*([^*]|\*\S+)" 
|where isnotnull(exampleQueryToDetermineIndexes)
|fields - eventtype eventtype_def
| rename eai:acl.owner AS owner, eai:acl.app AS Application
|stats values(*) as * by Application title

It actually comes from https://splunkbase.splunk.com/app/3796/ , if I recall correctly - we adjusted it slightly in our environment, but I think this is the original search.