Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to replace indexes specified in previously created searches at search-time?

jeffreyjewitt
Explorer
‎04-01-2015 01:07 PM

Hi:
I am looking at having greater control over our indexes. The problem I have, is that there are tons of searches that are already created that reference specific indexes.
Is there anyway to do a at-search time replacement of a search that was entered?
Current setup:
index=firewalls

New setup (What I'd like to do):
index=productionfirewalls
index=nonproductionfirewalls

The reason I'd like to set this up this way, is that I want to be able to specify different time based retention policies based on the environment that the index is for. Say, production data might be x years, and non production might be 1 year of retention.

What I'd like to do is have existing searches that use index=firewalls, automatically replace that part with index=productionfirewalls OR index=nonproductionfirewalls automatically, when a user searches for index=firewalls

Is this possible?
Thanks you for any information you could provide.
-Jeff

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 01:18 PM

I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.

You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:

/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf

Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK

View solution in original post

Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎04-01-2015 01:18 PM

I'm not aware of a way to do what you are describing. Since you've already specified index=x in the first part of your search, there isn't a way to go-back and re-search index=y OR index=z instead of index=x in the second part.

You'll probably want to do a find/replace on savedseaches.conf. The local level one is at:

/opt/splunk/etc/apps/YOURAPP/local/savedsearches.conf

Although, if you are going to touch every search, you might want to create event types first, and then change "index=x" to "eventtype=x" in all of your searches, so that future changes are less invasive. More about event types here: http://www.splunk.com/view/SP-CAAAGYK

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...