Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find all the searches having not field parameter in the search or Alert or Reports?

gulizar
New Member
‎05-31-2021 05:03 AM
Hi,

In our system, to prevent the high resources consumed, we would like to see all searches including "*" and without field. To explain, someone can search like this index=os *tktpfp*. In this search, after index information, there is not field as you can see. We want to obtain all searches written without any fields. Is there any way to see this searches by using an SPL? Can you help me about this? I appreciate your helps and efforts.

index=test error*

index=test *errror*

index=test *

Kind Regards.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-31-2021 08:53 AM

See if this helps

| rest /services/saved/searches splunk_server=local 
| rex field=search "^(?<base>[^\|]*)" 
| regex base="(?:\s\*)|(?:\s\w+\*)" 
| table eai:acl.app title search
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:47 AM

Hi,

we want to find that which user used a wilcard(*) without using field in the spl. 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2021 01:46 PM
You could see all searches from _audit index. You probably get the idea from this answer https://community.splunk.com/t5/Archive/How-to-find-all-the-searches-having-quot-index-quot-in-the/m...
r. Ismo
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:37 AM

Hi,

thank you so much. this search does not satisfy my request.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 07:59 AM

You could use the ReST API to retrieve dashboard detail for example, and examine the queries defined there.

| rest splunk_server=local servicesNS/-/-/data/ui/views/
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:43 AM

Hi,

thank you so much. this search does not satisfy my request. this search gave a dashboard list. i want to learn which user used the wilcard (*) character in the spl of reports and alerts.

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...