Update savedsearches.conf

Author: gjanders

default/savedsearches.conf

@@ -4649,7 +4649,7 @@ search = | multisearch \
      ```Replace macros, but then replace datamodels, then tags, then eventtypes, but what if the eventtype refers to an eventtype? Or tag? Or more macros? This isn't perfect so just substitute a hope for the best. IndexerLevel - RemoteSearches Indexes Stats doesn't have all these issues so it may be safer to see what happens at indexing tier...Note pre Splunk 8.0 you will need to replace splunkadmins_audit_logs_macro_sub_v8 with splunkadmins_audit_logs_macro_sub``` \
     | `splunkadmins_macro_sub("search")` \
     | `splunkadmins_macro_sub("search")` \
-    | regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|mutlisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
+    | regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|multisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
     | regex search!="\|\s*(append|union|multisearch|set|appendcols|appendpipe|join|map)" \
     | `splunkadmins_audit_logs_datamodel_sub` \
     | `splunkadmins_audit_logs_tags_sub` \
@@ -4760,7 +4760,7 @@ search = | multisearch \
       ```Replace macros, but then replace datamodels, then tags, then eventtypes, but what if the eventtype refers to an eventtype? Or tag? Or more macros? This isn't perfect so just substitute a hope for the best. IndexerLevel - RemoteSearches Indexes Stats doesn't have all these issues so it may be safer to see what happens at indexing tier...``` \
     | `splunkadmins_macro_sub("search")` \
     | `splunkadmins_macro_sub("search")` \
-    | regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|mutlisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
+    | regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|multisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
     | regex search!="\|\s*(append|union|multisearch|set|appendcols|appendpipe|join|map)" \
     | `splunkadmins_audit_logs_datamodel_sub` \
     | `splunkadmins_audit_logs_tags_sub` \
@@ -8469,7 +8469,7 @@ search = | rest /servicesNS/-/-/saved/searches f=next_scheduled_time f=search f=
 | where updatedepoch < no_updates_after \
 | rex field=qualifiedSearch mode=sed "s/```.*?```/ /g"  \
 | rex field=search mode=sed "s/```.*?```/ /g" \
-| regex qualifiedSearch="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|mutlisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+"  \
+| regex qualifiedSearch="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|multisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+"  \
 | regex qualifiedSearch!="(\||^)\s*(append|union|multisearch|set|appendcols|appendpipe|join|map)"  \
 | rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))"  \
 | rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50  \
@@ -8569,7 +8569,7 @@ request.ui_dispatch_view = search
 search = index=_audit savedsearch_name="$savedsearch_name$" host IN ($host$) \
 | rex "(?s), search='(?P<search>.*)\]$" \
 | rex field=search mode=sed "s/```.*?```/ /g" \
-| regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|mutlisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
+| regex search="^\s*(\|?)\s*(search|tstats|mstats|mcatalog|multisearch|union|set|summarize|datamodel|from\s*:?\s*datamodel|datamodelsimple)\s+" \
 | regex search!="(\||^)\s*(append|union|multisearch|set|appendcols|appendpipe|join|map)" \
 | rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))" \
 | rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \