MuS,
Yes, that is definitely very interesting and I am looking forward to testing that out.
We have forced the requirement of using an index for all users by default search index not going to return any results but unfortunately it does not solve index=*, as I don't believe the SPL optimization will either.
My main concern continues further down the stack as well, wanting users to develop queries that index=, sourcetype= and maybe even host= as well. I expect this is not likely something we will be able to do, probably just need to improve our user base training but with over 2K unique user logins each month it is a large task to train everyone.
Thanks
Rich
... View more