Hello Simon Mandy,
maybe you want to try this:
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | rex field=search "index=(?P<search_index>[^ ]+)" | stats count by search_index | sort - count
I hope this helps.
This works fine if only one index is search, but if you have some like this:
index=ciscofirewall OR index="cpfirewall user="Garth"
Your result will only show cisco_firewall
A search like this:
will show up as **_firewall*
Other than that its a nice way to see what is used in search.
Yes you are right.
The first problem should be solveable with the "maxmatch=[number]" parameter.
The second Problem isn't really a problem. If there are many searches to *firewall you know you have to improve all of the matching indexes.