Skip to content

Commit d9ee1ce

Browse files
gjandersgjanders
authored
Update savedsearches.conf
1 parent 1682d15 commit d9ee1ce

File tree

1 file changed

+8
-11
lines changed

1 file changed

+8
-11
lines changed

default/savedsearches.conf

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4714,8 +4714,7 @@ search = | multisearch \
47144714
```Extract out index= or index IN (a,b,c) but avoid NOT index in (...) and NOT index=... and also NOT (...anything) statements``` \
47154715
| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
47164716
| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
4717-
| makemv delim="," indexin \
4718-
| makemv delim=" " indexin \
4717+
| makemv tokenizer="([^, ]+)" indexin \
47194718
| eval indexes=mvappend(indexregex,indexin) \
47204719
| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
47214720
| eval wildcard=mvfilter(match(indexes,"\*")) \
@@ -4818,8 +4817,7 @@ search = | multisearch \
48184817
```Extract out index= or index IN (a,b,c) but avoid NOT index in (...) and NOT index=... and also NOT (...anything) statements``` \
48194818
| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
48204819
| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
4821-
| makemv delim="," indexin \
4822-
| makemv delim=" " indexin \
4820+
| makemv tokenizer="([^, ]+)" indexin \
48234821
| eval indexes=mvappend(indexregex,indexin) \
48244822
| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
48254823
| eval wildcard=mvfilter(match(indexes,"\*")) \
@@ -7023,7 +7021,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
70237021
| eval total_hours_searched=round(total_hours_searched,1) \
70247022
| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
70257023
| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
7026-
| makemv delim="," indexin \
7024+
| makemv tokenizer="([^, ]+)" indexin \
70277025
| eval indexes=mvappend(indexregex,indexin) \
70287026
| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
70297027
| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
@@ -7078,7 +7076,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
70787076
| stats latest(mostRecent) AS mostRecent, count as number_of_runs values(host) as host values(total_hours_searched) AS total_hours_searched values(total_days_searched) AS total_days_searched max(run_time) AS max_run_time avg(run_time) AS avg_run_time sum(run_time) AS sum_run_time sum(total_cache_miss) as total_cache_miss max(result_count) AS result_count max(event_count) AS event_count max(searched_buckets) AS searched_buckets values(info) AS info values(numofsearchesinquery) AS numofsearchesinquery, values(app) AS app by users search \
70797077
| rex field=search "(?s)(NOT\s+index(\s*=\s*|::[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
70807078
| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
7081-
| makemv delim="," indexin \
7079+
| makemv tokenizer="([^, ]+)" indexin \
70827080
| eval indexes=mvappend(indexregex,indexin) \
70837081
| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
70847082
| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
@@ -7133,7 +7131,7 @@ invocations_command_search_index_bucketcache_miss>0 OR invocations_command_searc
71337131
| stats latest(mostRecent) AS mostRecent, count as number_of_runs, values(host) as host values(total_hours_searched) AS total_hours_searched values(total_days_searched) AS total_days_searched max(run_time) AS max_run_time avg(run_time) AS avg_run_time sum(run_time) AS sum_run_time sum(total_cache_miss) as total_cache_miss max(result_count) AS result_count max(event_count) AS event_count max(searched_buckets) AS searched_buckets values(info) AS info values(numofsearchesinquery) AS numofsearchesinquery, values(provenance) AS provenance, values(app) AS app by users search \
71347132
| rex field=search "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
71357133
| rex field=search "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
7136-
| makemv delim="," indexin \
7134+
| makemv tokenizer="([^, ]+)" indexin \
71377135
| eval indexes=mvappend(indexregex,indexin) \
71387136
| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
71397137
| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
@@ -8228,7 +8226,7 @@ search = | rest `splunkadmins_restmacro` timeout=900 /servicesNS/-/-/data/models
82288226
| rex field=eai:data "(?P<esstylewildcard>\(\s*index=\*\s+OR\s+index=_\*\s*\))" \
82298227
| rex field=eai:data "(?sm)(NOT\s+index\s*(=|::)\s*[^ ]+)|(NOT\s+\([^\)]+\))|(index\s*(=|::)\s*(\\\)?\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
82308228
| rex field=eai:data "(?sm)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
8231-
| makemv delim="," indexin \
8229+
| makemv tokenizer="([^, ]+)" indexin \
82328230
| eval indexes=mvappend(indexregex,indexin) \
82338231
| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
82348232
| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
@@ -8475,8 +8473,7 @@ search = | rest /servicesNS/-/-/saved/searches f=next_scheduled_time f=search f=
84758473
| eval prepipe = prepipe . " " . prepipe_subsearch \
84768474
| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
84778475
| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
8478-
| makemv delim="," indexin \
8479-
| makemv delim=" " indexin \
8476+
| makemv tokenizer="([^, ]+)" indexin \
84808477
| eval indexes=mvappend(indexregex,indexin) \
84818478
| eval indexes=mvmap(indexes, replace(lower(indexes), "\"", "")) \
84828479
| eval indexes=mvmap(indexes, trim(replace(indexes, "'", ""))) \
@@ -8575,7 +8572,7 @@ search = index=_audit savedsearch_name="$savedsearch_name$" host IN ($host$) \
85758572
| rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))" \
85768573
| rex field=prepipe "(?s)(NOT\s+index(\s*=\s*|::)[^ ]+)|(NOT\s+\([^\)]+\))|(index(\s*=\s*|::)\"?(?P<indexregex>[\*A-Za-z0-9-_]+))" max_match=50 \
85778574
| rex field=prepipe "(?s)(NOT\s+index\s+[iI][nN]\s*\([^\)]+)|(index\s+[iI][nN]\s*\((?P<indexin>([^\)\"]+)|\"[^\)\"]+\"))" max_match=50 \
8578-
| makemv delim="," indexin \
8575+
| makemv tokenizer="([^, ]+)" indexin \
85798576
| eval indexes=mvappend(indexregex,indexin) \
85808577
| eval indexes=if(isnotnull(esstylewildcard),mvfilter(NOT match(indexes,"^_?\*$")),indexes) \
85818578
| eval wildcard=mvfilter(match(indexes,"\*")) \

0 commit comments

Comments
 (0)