Re: list out saved searches which are used index=*...

john_q · ‎02-23-2017

Hi all,
we have hundreds of saved searches,but the problem is while creating savedsearches they were used index= *

instead of using index fully qualified name.so i want to list out how many savedsearches has index=*

thanks.

sylvia_gerges · ‎09-05-2022

You can also try

| regex search=.*index\s*=\s*_?\*\s

aaraneta_splunk · ‎04-20-2017

@john_q - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

SathyaNarayanan · ‎03-31-2017

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app eai:acl.owner | eval var1=if(match(search,"index=*"), "TUNE-ME", "OK") | where var1 = "TUNE-ME"

DalJeanis · ‎03-31-2017

upvote for "TUNE-ME", but remember to mark your code.

somesoni2 · ‎02-23-2017

Give this a try

| rest /servicesNS/-/-/saved/search splunk_server=local
| regex search=".*index\s*=\s*\*.+"
| table title eai:acl.owner eai:acl.app cron_schedule dispatch.*_time search

adonio · ‎02-23-2017

Hi John_q
Try and run this search:

This is not perfect but if you will click at the arrow next to the search field in the table, it will sort searches alphabetically
and will bring the index=* searches to the top of the list

| rest /services/saved/searches
| table search eai:acl.owner title search
| search search="index=*"

Hope it helps

How to list out saved searches which are used index=* instated of using index fully qualified name?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!