How to find all the searches having not field para...

gulizar · ‎05-31-2021

Hi,

In our system, to prevent the high resources consumed, we would like to see all searches including "*" and without field. To explain, someone can search like this index=os *tktpfp*. In this search, after index information, there is not field as you can see. We want to obtain all searches written without any fields. Is there any way to see this searches by using an SPL? Can you help me about this? I appreciate your helps and efforts.

index=test error*

index=test *errror*

index=test *

Kind Regards.

richgalloway · ‎05-31-2021

See if this helps

| rest /services/saved/searches splunk_server=local 
| rex field=search "^(?<base>[^\|]*)" 
| regex base="(?:\s\*)|(?:\s\w+\*)" 
| table eai:acl.app title search

---
If this reply helps you, Karma would be appreciated.

gulizar · ‎06-04-2021

Hi,

we want to find that which user used a wilcard(*) without using field in the spl.

isoutamo · ‎06-04-2021

You could see all searches from _audit index. You probably get the idea from this answer https://community.splunk.com/t5/Archive/How-to-find-all-the-searches-having-quot-index-quot-in-the/m...
r. Ismo

gulizar · ‎06-04-2021

Hi,

thank you so much. this search does not satisfy my request.

ITWhisperer · ‎05-31-2021

You could use the ReST API to retrieve dashboard detail for example, and examine the queries defined there.

| rest splunk_server=local servicesNS/-/-/data/ui/views/

gulizar · ‎06-04-2021

Hi,

thank you so much. this search does not satisfy my request. this search gave a dashboard list. i want to learn which user used the wilcard (*) character in the spl of reports and alerts.

How to find all the searches having not field parameter in the search or Alert or Reports?

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life