This is looking really good so far. Still having our users test it.
One caveat (not really an issue) is that I found that I needed to rename fields to have the WDC accept them.
Here is the test search I was using:
index=_audit action=search search=* user=* NOT user=splunk-system-user earliest=-1h
| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)"
| search indexname="*"
| stats count by indexname user
| rename count as searches
| stats list(indexname) by user searches
Because "stats list(indexname)" returns with brackets, I needed to modify the search as follows:
| rename list(indexname) as indexname
Not something I would consider an issue, but something for people who are migrating current searches to be aware of.
mayurah
commented
5 years ago
From @actionpotato
This is looking really good so far. Still having our users test it. One caveat (not really an issue) is that I found that I needed to rename fields to have the WDC accept them.
Here is the test search I was using:
Because "stats list(indexname)" returns with brackets, I needed to modify the search as follows:
| rename list(indexname) as indexnameNot something I would consider an issue, but something for people who are migrating current searches to be aware of.