Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find all the searches having not field parameter in the search or Alert or Reports?

gulizar
New Member
‎05-31-2021 05:03 AM
Hi,

In our system, to prevent the high resources consumed, we would like to see all searches including "*" and without field. To explain, someone can search like this index=os *tktpfp*. In this search, after index information, there is not field as you can see. We want to obtain all searches written without any fields. Is there any way to see this searches by using an SPL? Can you help me about this? I appreciate your helps and efforts.

index=test error*

index=test *errror*

index=test *

Kind Regards.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-31-2021 08:53 AM

See if this helps

| rest /services/saved/searches splunk_server=local 
| rex field=search "^(?<base>[^\|]*)" 
| regex base="(?:\s\*)|(?:\s\w+\*)" 
| table eai:acl.app title search
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:47 AM

Hi,

we want to find that which user used a wilcard(*) without using field in the spl. 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-04-2021 01:46 PM
You could see all searches from _audit index. You probably get the idea from this answer https://community.splunk.com/t5/Archive/How-to-find-all-the-searches-having-quot-index-quot-in-the/m...
r. Ismo
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:37 AM

Hi,

thank you so much. this search does not satisfy my request.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2021 07:59 AM

You could use the ReST API to retrieve dashboard detail for example, and examine the queries defined there.

| rest splunk_server=local servicesNS/-/-/data/ui/views/
0 Karma
Reply

gulizar
New Member
‎06-04-2021 05:43 AM

Hi,

thank you so much. this search does not satisfy my request. this search gave a dashboard list. i want to learn which user used the wilcard (*) character in the spl of reports and alerts.

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...