Hi,
Am fine tuning my environment, so i listing out the searches which are using index=*
in the search. But as *
is wildcard it is not filtering.
Below is the query
index=_audit action=search | convert num(total_run_time) | eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"
Thanks in advance
Hi there, try this one,
| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")
Another one for both types, Ad-Hoc, Scheduled and API searches.
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1
Edited.
Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.
E.g.
Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.
remember to escape the *
as \*
if you are looking for that character rather than "anything".
Thanks, it working
Hi there, try this one,
| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")
Another one for both types, Ad-Hoc, Scheduled and API searches.
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1
Edited.
Thanks, its works for the saved searches, how about for the searches made adhoc
I used the below line from your query and got the required list.
| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")
Thanks Alemarzu
Nice but be aware that the match
function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")
Something like this, (?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")
Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps
Thanks, but when put we search ="Index=*", it started listing out all the indexes again