Update macros.conf

Author: gjanders

default/macros.conf

@@ -925,3 +925,18 @@ iseval = 0
 [splunkadmins_events_per_second]
 definition = desc.savedsearch_name IN ("Example")
 iseval = 0
+
+[indexes_extraction(1)]
+args = search
+definition = rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
+| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexinall>[%\)]+))" max_match=50 \
+| rex field=indexinall "(?s)\s*(\"(?P<indexin>[^\", ]+))|(?P<indexin2>[^,\s\"]+)" max_match=50 \
+| makemv tokenizer="([^, ]+)" indexin \
+| eval indexes=mvappend(indexregex,indexin) \
+| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
+| eval wildcard=mvfilter(match(indexes,"\*")) \
+| where isnull(wildcard) \
+| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
+| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
+| eval indexes=mvdedup(indexes)
+iseval = 0