Splunk search for Searches Using Wildcard Index

Copy
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval "Using Wildcard Index"=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc "Using Wildcard Index"
This Splunk search will look for any saved searches or knowledge objects that include a search that uses a wildcard for the index. This search can be useful for identifying inefficient searches that could be further improved by specifying an index.
0 comments

Category:

General Splunk


Tags:

audit Admin

Search Commands:

Sign in or Register to submit a comment