Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan
Path Finder
‎03-31-2017 07:22 AM

Hi,

Am fine tuning my environment, so i listing out the searches which are using index=* in the search. But as * is wildcard it is not filtering.
Below is the query

index=_audit action=search | convert num(total_run_time) |  eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"

Thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alemarzu
Motivator
‎03-31-2017 07:35 AM

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

View solution in original post

Reply
Solved! Jump to solution

karlbosanquet
Path Finder
‎04-01-2017 05:40 AM

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.

E.g.

Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-31-2017 08:00 AM

remember to escape the * as \* if you are looking for that character rather than "anything".

0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎03-31-2017 08:36 AM

Thanks, it working

0 Karma
Reply
Solved! Jump to solution
Solution

alemarzu
Motivator
‎03-31-2017 07:35 AM

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎03-31-2017 07:57 AM

Thanks, its works for the saved searches, how about for the searches made adhoc

0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎03-31-2017 08:12 AM

I used the below line from your query and got the required list.

| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")

Thanks Alemarzu

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎03-31-2017 09:10 AM

Nice but be aware that the match function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")

Something like this, (?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎03-31-2017 07:32 AM

Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps

0 Karma
Reply
Solved! Jump to solution

SathyaNarayanan
Path Finder
‎03-31-2017 07:57 AM

Thanks, but when put we search ="Index=*", it started listing out all the indexes again

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...