topic Re: Searches appearing in search results (yo dawg) in Splunk Search

Searches appearing in search results (yo dawg)

bbegyperkspot — Mon, 28 Sep 2020 16:46:50 GMT

When I search in the search application, my search terms are starting to appear in subsequent searches. So search for "earliest=-m error" then do it again, and half of my results are the previous search.

[02/Jun/2014:15:49:51.737 -0500] "GET /en-US/splunkd/_raw/services/messages?output_mode=json&count=1000&=1401742191674 HTTP/1.1" 200 198 "[splunk url redacted]/en-US/app/search/search?q=search%20earliest%20%3D-m%20error&earliest=0&latest=&sid=1401741994.2" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" - 538ce36fbc31f17d0 7ms

I must have my settings broken. But how?

Re: Searches appearing in search results (yo dawg)

somesoni2 — Mon, 02 Jun 2014 21:16:24 GMT

When you just search "earliest=-m error", its basically searching all your default indexes (all internal and non-internal indexes). The internal indexes like _internal and _audit also logs user search activities which is what is being included in your results at it matches your criteria.
Please include the indexes your really want to search.

Re: Searches appearing in search results (yo dawg)

bbegyperkspot — Mon, 02 Jun 2014 21:17:40 GMT

ok, how do I disable searching _internal and _audit by default? It is baffling the user's I'm trying to convert from "just log into prod and poke at the error log."

Re: Searches appearing in search results (yo dawg)

somesoni2 — Mon, 02 Jun 2014 21:35:28 GMT

Check the role users are in and for that role changes the property "Indexes searched by default" OR at search level, specify "NOT index=_* earliest=-m error"

Re: Searches appearing in search results (yo dawg)

neiljpeterson — Mon, 28 Sep 2020 16:46:53 GMT

That data is most certainly coming from the _internal index which contains lots of things like searches ran.

The indexes that are available to you as a user are a function of what role(s) you have. You can change which indexes are searched by default under the access control settings for that role.

To prevent everyone with the user role from seeing results from _internal click on Settings > Access controls > Roles > user > Indexes searched by default Choose what indexes you want them to see results from by adding them to Selected Indexes under indexes searched by default.

The default indexes are the indexes that will be searched when index= is NOT specified in query. When someone (like you) would want to search the _internal index they would then need to specify it:index=_internal

Re: Searches appearing in search results (yo dawg)

bbegyperkspot — Mon, 02 Jun 2014 22:12:22 GMT

That did it, thanks. It got changed when we were debugging another issue.