Skip to content

Commit 898552b

Browse files
gjandersgjanders
authored
Update savedsearches.conf
1 parent e6eacf0 commit 898552b

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

default/savedsearches.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8401,6 +8401,10 @@ search = index=_audit `searchheadhosts` TERM(info=completed) search_id!="'rsa_*"
84018401
| rex field=search mode=sed "s/\n/ /g" \
84028402
| rex field=search mode=sed "s/```.*?```/ /g" \
84038403
| eval search=if(substr(search,len(search),len(search)-1)=="'",substr(search,0,len(search)-1),search)\
8404+
``` splparse is from GV Utils app, works for splitting the data into search lines to prevent rex errors while extracting macros. This provides more accuracy but requires the GV Utils app from splunkbase, replace the rex / macro lien with the below \
8405+
| splparse search \
8406+
| rex field=parsed_search "`\s*(?P<macro>.*?)\s*`" max_match=0 \
8407+
``` \
84048408
| rex field=search "`\s*(?P<macro>.*?)\s*`" max_match=0\
84058409
| eval search_head=host\
84068410
| eval search_head_cluster=`search_head_cluster`\

0 commit comments

Comments
 (0)