Hello, I am trying to bring up a search that will tell me how much each index is being used, but the search_index field doesn't work. Here is the search:
index=_audit action=search (id=* OR search_id=*)
| rex "user=(?<user>.*?),"
| search user!=splunk-system-user
| search user!=admin
| search search!=*_internal* search!=*_audit*
| rex max_match=0 field=search_index "((?:index(\")?=(?:\\|\\\"|\")?)|(?:s\w+\s\S))(?<my_indexes>[^\\\s\"]+)"
| eval search_index=mvdedup(search_index)
| convert num(total_run_time)
| eval time_of_search=strftime(_time, "%F %T")
| table user time_of_search total_run_time savedsearch_name search_index search
In the first line of your search, you misspelled "seach_id"
Yep, ignore that, I could only copy from a different machine in this case, so was typing all this out. (Fixed)