Update savedsearches.conf

gjanders · web-flow · commit 3b512265ba85 · 2025-11-17T11:41:56.000+11:00
diff --git a/default/savedsearches.conf b/default/savedsearches.conf
@@ -4715,16 +4715,10 @@ search = | multisearch \
  ```We now deal with cases where search earliest/latest times were not specified, assume all time is about 1 year in the past and latest time was the search run time``` \
 | eval search_lt=if(search_lt=="N/A",timestamp,search_lt), search_et=if(search_et=="N/A",now()-(365*24*60*60),search_et) \
   ```Extract out index= or index IN (a,b,c) but avoid NOT index in (...) and NOT index=... and also NOT (...anything) statements``` \
-| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
+| `indexes_extraction(search)` \
 | eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
 | eval wildcard=mvfilter(match(indexes,"\*")) \
 | where isnull(wildcard) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
 | eval multi=if(mvcount(indexes)>1,"true","false") \
 | stats values(timestamp) AS _time, values(total_run_time) AS total_run_time, values(event_count) AS event_count, values(scan_count) AS scan_count, values(search_et) AS search_et, values(search_lt) AS search_lt, values(savedsearch_name) AS savedsearch_name, values(multi) AS multi, max(duration_index) AS duration_index, max(duration_rawdata) AS duration_rawdata, max(cache_index_hits) AS cache_index_hits, max(cache_index_miss) AS cache_index_miss, max(cache_index_hit_duration) AS cache_index_hit_duration, max(cache_index_miss_duration) AS cache_index_miss_duration, max(cache_rawdata_hits) AS cache_rawdata_hits, max(cache_rawdata_miss) AS cache_rawdata_miss, max(cache_rawdata_hit_duration) AS cache_rawdata_hit_duration, max(cache_rawdata_miss_duration) AS cache_rawdata_miss_duration, values(provenance) AS provenance by user, type, indexes, search_head_cluster, search_id, app_name \
 | eval period=search_lt-search_et \
@@ -4818,10 +4812,7 @@ search = | multisearch \
 | rex field=search "(?P<esstylewildcard>\(\s*index=\*\s+OR\s+index=_\*\s*\))" \
 | rex mode=sed field=search "s/search index=\s*\S+\s+index\s*=/search index=/g" \
   ```Extract out index= or index IN (a,b,c) but avoid NOT index in (...) and NOT index=... and also NOT (...anything) statements``` \
-| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
+| `indexes_extraction(search)` \
 | eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
 | eval wildcard=mvfilter(match(indexes,"\*")) \
 | where isnotnull(wildcard) OR isnull(indexes) \
@@ -7024,13 +7015,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
 | search total_cache_miss>0 \
 | search provenance=*Dashboard* \
 | eval total_hours_searched=round(total_hours_searched,1) \
-| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(search)` \
 | eval has_pipe=if(match(search,"\|"),"true",null()) \
 | rex field=search "(?P<search>[^\|]+\|)" \
 | eval search = if(isnotnull(has_pipe),search . " ... (trimmed)",search)\
@@ -7079,13 +7064,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
 | `base64decode(base64appname)` \
 | eval app3="N/A", app=coalesce(app,app2,base64appname,app3) \
 | stats latest(mostRecent) AS mostRecent, count as number_of_runs values(host) as host values(total_hours_searched) AS total_hours_searched values(total_days_searched) AS total_days_searched max(run_time) AS max_run_time avg(run_time) AS avg_run_time sum(run_time) AS sum_run_time sum(total_cache_miss) as total_cache_miss max(result_count) AS result_count max(event_count) AS event_count max(searched_buckets) AS searched_buckets values(info) AS info values(numofsearchesinquery) AS numofsearchesinquery, values(app) AS app by users search \
-| rex field=search "(?s)(NOT\s+index(\s*=\s*|::[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(search)` \
 | rex max_match=100 field=search "tag=(?<tags>[^\s+\||\)]+)" \
 | rex max_match=100 field=search "eventtype=(?<eventtypes>[^\s+\||\)]+)" \
 | rex max_match=100 field=search "(?<macros>\`[^\s]+\`)" \
@@ -7134,13 +7113,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
 | search total_cache_miss>0 \
 | eval total_hours_searched=round(total_hours_searched,1) \
 | stats latest(mostRecent) AS mostRecent, count as number_of_runs, values(host) as host values(total_hours_searched) AS total_hours_searched values(total_days_searched) AS total_days_searched max(run_time) AS max_run_time avg(run_time) AS avg_run_time sum(run_time) AS sum_run_time sum(total_cache_miss) as total_cache_miss max(result_count) AS result_count max(event_count) AS event_count max(searched_buckets) AS searched_buckets values(info) AS info values(numofsearchesinquery) AS numofsearchesinquery, values(provenance) AS provenance, values(app) AS app by users search \
-| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(search)`
 | eval has_pipe=if(match(search,"\|"),"true",null())\
 | rex max_match=100 field=search "tag=(?<tags>[^\s+\||\)]+)" \
 | rex max_match=100 field=search "eventtype=(?<eventtypes>[^\s+\||\)]+)" \
@@ -8231,14 +8204,7 @@ search = | rest `splunkadmins_restmacro` timeout=900 /servicesNS/-/-/data/models
 | `splunkadmins_macro_sub('eai:data')` \
 | regex eai:data="index\s*(=|[iI][nN])" \
 | rex field=eai:data "(?P<esstylewildcard>\(\s*index=\*\s+OR\s+index=_\*\s*\))" \
-| rex field=eai:data "(?sm)(NOT\s+index\s*(=|::)\s*[^ ]+)|(NOT\s+\([^\)]+\))|(index\s*(=|::)\s*(\\\)?\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=eai:data "(?sm)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(eai:data)` \
 | table title, indexes, eai:data, eai:acl.app
 
 [SearchHeadLevel - Job performance data per indexer]
@@ -8478,13 +8444,7 @@ search = | rest /servicesNS/-/-/saved/searches f=next_scheduled_time f=search f=
 | nomv prepipe_subsearch \
 | fillnull prepipe_subsearch value=" " \
 | eval prepipe = prepipe . " " . prepipe_subsearch \
-| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(prepipe)` \
 | eval count=mvcount(indexes) \
 | rename eai:acl.app AS app, eai:acl.owner AS owner, eai:acl.sharing AS sharing \
 | table title, app, indexes, count, owner, sharing, updated
@@ -8577,16 +8537,10 @@ search = index=_audit savedsearch_name="$savedsearch_name$" host IN ($host$) \
 | regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|multisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
 | regex search!="(\||^)\s*(append|union|multisearch|set|appendcols|appendpipe|join|map)" \
 | rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))" \
-| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
+| `indexes_extraction(prepipe)` \
 | eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
 | eval wildcard=mvfilter(match(indexes,"\*")) \
 | where isnull(wildcard) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
 | eval count=mvcount(indexes) \
 ```| where count==1 \
 | search indexes!=_* ```\
@@ -8884,13 +8838,7 @@ search = | rest `splunkadmins_restmacro` /servicesNS/-/-/data/ui/views f=eai:dat
 | nomv prepipe_subsearch \
 | fillnull prepipe_subsearch value=" " \
 | eval prepipe = prepipe . " " . prepipe_subsearch \
-| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
-| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
-| makemv tokenizer="([^, ]+)" indexin \
-| eval indexes=mvappend(indexregex,indexin) \
-| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
-| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
-| eval indexes=mvdedup(indexes) \
+| `indexes_extraction(prepipe)` \
 | stats values(indexes) AS indexes by title
 
 [AllSplunkEnterpriseLevel - Splunk servers with resource starvation v2]
