Splunk Search

How to find all the searches having "index=*" in the search or Alert or Reports

SathyaNarayanan
Path Finder

Hi,

Am fine tuning my environment, so i listing out the searches which are using index=* in the search. But as * is wildcard it is not filtering.
Below is the query

index=_audit action=search | convert num(total_run_time) |  eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"

Thanks in advance

Tags (1)
0 Karma
1 Solution

alemarzu
Motivator

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

View solution in original post

karlbosanquet
Path Finder

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.

E.g.

Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

remember to escape the * as \* if you are looking for that character rather than "anything".

0 Karma

SathyaNarayanan
Path Finder

Thanks, it working

0 Karma

alemarzu
Motivator

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

SathyaNarayanan
Path Finder

Thanks, its works for the saved searches, how about for the searches made adhoc

0 Karma

SathyaNarayanan
Path Finder

I used the below line from your query and got the required list.

| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")

Thanks Alemarzu

0 Karma

alemarzu
Motivator

Nice but be aware that the match function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")

Something like this, (?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")

0 Karma

adonio
Ultra Champion

Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps

0 Karma

SathyaNarayanan
Path Finder

Thanks, but when put we search ="Index=*", it started listing out all the indexes again

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...