Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to replace indexes specified in previously created searches at search-time?

jeffreyjewitt
Explorer
‎04-01-2015 01:07 PM

Hi:
I am looking at having greater control over our indexes. The problem I have, is that there are tons of searches that are already created that reference specific indexes.
Is there anyway to do a at-search time replacement of a search that was entered?
Current setup:
index=firewalls

New setup (What I'd like to do):
index=productionfirewalls
index=nonproductionfirewalls

The reason I'd like to set this up this way, is that I want to be able to specify different time based retention policies based on the environment that the index is for. Say, production data might be x years, and non production might be 1 year of retention.

What I'd like to do is have existing searches that use index=firewalls, automatically replace that part with index=productionfirewalls OR index=nonproductionfirewalls automatically, when a user searches for index=firewalls

Is this possible?
Thanks you for any information you could provide.
-Jeff

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 01:18 PM

I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.

You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:

/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf

Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 01:18 PM

I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.

You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:

/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf

Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...