https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667607#M229034 <P>Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result</P> Mon, 06 Nov 2023 19:03:23 GMT harishsplunk7 2023-11-06T19:03:23Z https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667557#M229011 <P>I want to list what commands in the search language are being used.&nbsp;&nbsp;I think its possible in the same _audit index and&nbsp; I want to be able to do is count the number of times each command is used in search</P><P>Example :&nbsp;</P><P>stats used 2 time</P><P>eval used 5 times&nbsp;</P><P>rex used 7 time</P><P>timechart used 10 time</P><P>&nbsp;</P> Mon, 06 Nov 2023 15:11:50 GMT https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667557#M229011 harishsplunk7 2023-11-06T15:11:50Z https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667562#M229015 <P>You could start with something like this:</P><LI-CODE lang="markup">index=_audit | rex max_match=0 field=search "\|\s*(?&lt;command&gt;\w+)" | stats count by command</LI-CODE><P>However, you may get some false results if pipes are used in the search where they are not delimiting commands. Also, you may find that macros hide the use of some commands.</P> Mon, 06 Nov 2023 15:37:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667562#M229015 ITWhisperer 2023-11-06T15:37:48Z https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667603#M229032 <P>There is a REST endpoint, <FONT face="courier new,courier">/services/search/v2/parser</FONT>,&nbsp; you may be able to use to parse queries into the commands used.&nbsp; It requires the POST method so it will have to be used from a script (not from the UI).&nbsp; See <A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTREF/RESTsearch#search.2Fv2.2Fparser" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/RESTREF/RESTsearch#search.2Fv2.2Fparser</A></P> Mon, 06 Nov 2023 18:02:22 GMT https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667603#M229032 richgalloway 2023-11-06T18:02:22Z https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667607#M229034 <P>Thank you, I am getting the result but unwanted fields are coming like jira, macro, filename. How to get rid of this from result</P> Mon, 06 Nov 2023 19:03:23 GMT https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667607#M229034 harishsplunk7 2023-11-06T19:03:23Z https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667622#M229041 <LI-CODE lang="markup">| where command!="jira" AND command!="macro" AND command!="filename"</LI-CODE> Mon, 06 Nov 2023 23:35:26 GMT https://community.splunk.com/t5/Splunk-Search/how-to-find-what-commands-in-the-search-language-are-being-used/m-p/667622#M229041 ITWhisperer 2023-11-06T23:35:26Z