https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744757#M241310 <P>You could look through the _internal index to see what searches have been performed. This only tells you what have been executed, not what could potentially execute i.e. there could still be alerts which haven't run but may run in the future which use index=*</P> Wed, 23 Apr 2025 08:44:58 GMT ITWhisperer 2025-04-23T08:44:58Z https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744755#M241308 <P>Hello guys,</P><P>&nbsp;</P><P>I need a splunk query that list out all the alerts that have index=* in their query. Unfortunately, I can't use rest services so kindly suggest me how can i do it without using rest.</P> Wed, 23 Apr 2025 14:25:01 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744755#M241308 sverdhan 2025-04-23T14:25:01Z https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744757#M241310 <P>You could look through the _internal index to see what searches have been performed. This only tells you what have been executed, not what could potentially execute i.e. there could still be alerts which haven't run but may run in the future which use index=*</P> Wed, 23 Apr 2025 08:44:58 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744757#M241310 ITWhisperer 2025-04-23T08:44:58Z https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744759#M241311 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272456">@sverdhan</a>&nbsp;</P><P>You can use the _audit index to find these, its not possible to search for a literal asterisk in Splunk but you can use a match command within where to filter as below. Note, the NOT "index=_audit" is to stop your own searches for asterisks searches from coming back!</P><LI-CODE lang="markup">index=_audit info=granted NOT "index=_audit" NOT typeahead | where match(search, ",*index\s?=\s?\*")</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Apr 2025 09:23:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744759#M241311 livehybrid 2025-04-23T09:23:11Z https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744790#M241316 <P>Remember that searches might query all indexes even if they don't have verbatim "index=*" in them. There are several possible cases which might cause that behaviour:</P><P>1) Default indexes defined for a role (you <EM>should not</EM> do that but it is possible)</P><P>2) Eventtype</P><P>3) index IN (*)</P><P>4) macro</P><P>5) Data model</P><P>And please try to set a more descriptive topic for the thread next time.</P> Wed, 23 Apr 2025 14:29:04 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744790#M241316 PickleRick 2025-04-23T14:29:04Z https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744834#M241326 <P>This is true&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272456">@sverdhan</a>&nbsp; - As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;has said, this might not cover everything you're expecting.&nbsp;</P><P>I spent a big chunk of time once trying to find "every" combination for a project I was working on to automatically notify of people doing this, however they often found clever ways around, things like using inputlookup, makeresults etc in subsearches.</P><P>However, it might catch "most" of your queries - ultimately your mileage may vary!</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 23 Apr 2025 21:22:14 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-quot-index-quot-in-searches/m-p/744834#M241326 livehybrid 2025-04-23T21:22:14Z