Solved: Re: How to find all the searches having "index=*" ...

SathyaNarayanan · ‎03-31-2017

Hi,

Am fine tuning my environment, so i listing out the searches which are using index=* in the search. But as * is wildcard it is not filtering.
Below is the query

index=_audit action=search | convert num(total_run_time) |  eval user = if(user="n/a", "nobody", user) | stats min(_time) as _time last(user) as user max(total_run_time) as total_run_time last(search) as search by search_id | search search="*index=*"

Thanks in advance

alemarzu · ‎03-31-2017

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

View solution in original post

karlbosanquet · ‎04-01-2017

Just one thing to be aware of, each role or user may have different results when they search for index=* due to what indexes they are able to see and what they search as default.

E.g.

Admin role set to see all internal and external indexes searches index=* gets everything.
User role configured to only see main index searches index=* only sees main index results.

DalJeanis · ‎03-31-2017

remember to escape the * as \* if you are looking for that character rather than "anything".

SathyaNarayanan · ‎03-31-2017

Thanks, it working

alemarzu · ‎03-31-2017

Hi there, try this one,

| rest /servicesNS/-/-/saved/searches | fields title search eai:acl.app | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK")

Another one for both types, Ad-Hoc, Scheduled and API searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1

Edited.

SathyaNarayanan · ‎03-31-2017

Thanks, its works for the saved searches, how about for the searches made adhoc

SathyaNarayanan · ‎03-31-2017

I used the below line from your query and got the required list.

| eval var1=if(match(search,"index=*"), "TUNE-ME", "OK")

Thanks Alemarzu

alemarzu · ‎03-31-2017

Nice but be aware that the match function is a regex, so you should consider using a wider regular expression to match any possibility, like (index=*, index = *, index= *, index="*")

adonio · ‎03-31-2017

Hi SathyaNarayananan
Similar question and answers here: https://answers.splunk.com/answers/504400/list-out-saved-searches-which-are-used-index-insta.html
hope it helps

SathyaNarayanan · ‎03-31-2017

Thanks, but when put we search ="Index=*", it started listing out all the indexes again

How to find all the searches having "index=*" in the search or Alert or Reports

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...