After 1.5 years, still no answer!
Seeing this and the interest in this issue I decided that I should share the next best solution, which I came up a short while after posting this question. It's an alert which will trigger whenever anyone without admin role runs a query which contains index=* over a period greater than 24 hours. Knowing this allows you to inform users of their mistake and ask them to not run such queries. This alert query is smart enough to see the excessive time in most cases. Since the answer is sometimes to difficult to figure out, the results will show a qualifier True, False, or Unknown for each case, thus leaving you to verify and decide whether you need to intervene or not.
Here is my INDEX_EQUAL_ASTERISK query:
index=_internal host=Your.Search.Head.Names search earliest NOT user=- NOT [search earliest=-65m latest=-15m index=_internal host=Your.Search.Head.Names search earliest NOT user=- | dedup sid | fields sid] NOT [|rest /services/authentication/users splunk_server=local | rename title as user | regex roles="admin*" | fields user] | regex "index%3D\*%" | regex _raw!="earliest(%3D-5m%)|(%3D-15m%)|(=-5m)|(=-15m)" | rex "(earliest%3D(?<EarliestDate>([0-9]{2}%2F){2}[0-9]{4}(%3A[0-9]{1,2}+){3}))|(earliest(=|%3D)(?<Earliest>(-(?>[0-9]+)[^hms+])|(-(?>[2-9][5-9])h)|(-(?>[3-9][0-9])h)|(-(?>[0-9]{3,})h)|([0-9]+)))" |
rex "(latest%3D(?<LatestDate>([0-9]{2}%2F){2}[0-9]{4}(%3A[0-9]{1,2}+){3}))|(latest(=|%3D)(?<Latest>(-(?>[0-9]+)[^hms])|(-(?>[2-9][5-9])h)|(-(?>[3-9][0-9])h)|(-(?>[0-9]{3,})h)|([0-9]+)))" |
rex "sid=(?<SearchID>[0-9]+\.[0-9]+)" |
eval EarliestDate=replace(EarliestDate, "%2F", "/") | eval EarliestDate=replace(EarliestDate, "%3A", ":") |
eval LatestDate=replace(LatestDate, "%2F", "/") | eval LatestDate=replace(LatestDate, "%3A", ":") | eval "> 1 day"=if( isNull(EarliestDate),if(like(Earliest,"-%") OR (tonumber(Latest)-tonumber(Earliest))>86400, "True", "False"), "Unknown") | eval Earliest=if(isNull(EarliestDate), Earliest, EarliestDate) | eval Latest=if(isNull(LatestDate), Latest, LatestDate) | eval Latest=if(isNull(Latest), "now", Latest) | where len(Earliest) > 2 AND len(Latest) > 2 | stats count as "Logs Count" by user, SearchID, Earliest, Latest, "> 1 day"
Here is the scheduled search setup:
And, finally, here is a sample alert email you will get when an alert is detected:
... View more