Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for "index=*" in searches

sverdhan
Loves-to-Learn Lots
‎04-23-2025 01:36 AM

Hello guys,

 

I need a splunk query that list out all the alerts that have index=* in their query. Unfortunately, I can't use rest services so kindly suggest me how can i do it without using rest.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-23-2025 07:28 AM

Remember that searches might query all indexes even if they don't have verbatim "index=*" in them. There are several possible cases which might cause that behaviour:

1) Default indexes defined for a role (you should not do that but it is possible)

2) Eventtype

3) index IN (*)

4) macro

5) Data model

And please try to set a more descriptive topic for the thread next time.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 02:22 PM

This is true @sverdhan  - As @PickleRick has said, this might not cover everything you're expecting. 

I spent a big chunk of time once trying to find "every" combination for a project I was working on to automatically notify of people doing this, however they often found clever ways around, things like using inputlookup, makeresults etc in subsearches.

However, it might catch "most" of your queries - ultimately your mileage may vary!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-23-2025 02:23 AM

Hi @sverdhan 

You can use the _audit index to find these, its not possible to search for a literal asterisk in Splunk but you can use a match command within where to filter as below. Note, the NOT "index=_audit" is to stop your own searches for asterisks searches from coming back!

index=_audit info=granted  NOT "index=_audit" NOT typeahead | where match(search, ",*index\s?=\s?\*")

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-23-2025 01:44 AM

You could look through the _internal index to see what searches have been performed. This only tells you what have been executed, not what could potentially execute i.e. there could still be alerts which haven't run but may run in the future which use index=*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...