Re: list out saved searches which are used index=*...

john_q · ‎02-23-2017

Hi all,
we have hundreds of saved searches,but the problem is while creating savedsearches they were used index= *

instead of using index fully qualified name.so i want to list out how many savedsearches has index=*

thanks.

sylvia_gerges · ‎09-05-2022

You can also try

| regex search=.*index\s*=\s*_?\*\s

aaraneta_splunk · ‎04-20-2017

@john_q - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

SathyaNarayanan · ‎03-31-2017

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app eai:acl.owner | eval var1=if(match(search,"index=*"), "TUNE-ME", "OK") | where var1 = "TUNE-ME"

DalJeanis · ‎03-31-2017

upvote for "TUNE-ME", but remember to mark your code.

somesoni2 · ‎02-23-2017

Give this a try

| rest /servicesNS/-/-/saved/search splunk_server=local
| regex search=".*index\s*=\s*\*.+"
| table title eai:acl.owner eai:acl.app cron_schedule dispatch.*_time search

adonio · ‎02-23-2017

Hi John_q
Try and run this search:

This is not perfect but if you will click at the arrow next to the search field in the table, it will sort searches alphabetically
and will bring the index=* searches to the top of the list

| rest /services/saved/searches
| table search eai:acl.owner title search
| search search="index=*"

Hope it helps

How to list out saved searches which are used index=* instated of using index fully qualified name?

other

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!