Splunk Search

How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan
Path Finder

Hi,

Am fine tuning my environment, so i listing out the searches which are using index=* in the search. But as * is wildcard it is not filtering.
Below is the query

index=_audit action=search | convert num(total_run_time) |  eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"

Thanks in advance

Tags (1)
0 Karma
1 Solution

alemarzu
Motivator

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

View solution in original post

karlbosanquet
Path Finder

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.

E.g.

Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

remember to escape the * as \* if you are looking for that character rather than "anything".

0 Karma

SathyaNarayanan
Path Finder

Thanks, it working

0 Karma

alemarzu
Motivator

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

SathyaNarayanan
Path Finder

Thanks, its works for the saved searches, how about for the searches made adhoc

0 Karma

SathyaNarayanan
Path Finder

I used the below line from your query and got the required list.

| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")

Thanks Alemarzu

0 Karma

alemarzu
Motivator

Nice but be aware that the match function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")

Something like this, (?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")

0 Karma

adonio
Ultra Champion

Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps

0 Karma

SathyaNarayanan
Path Finder

Thanks, but when put we search ="Index=*", it started listing out all the indexes again

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...