index=_* search=* user=* user!=- user!=splunk-system-user | rex field=search max_match=0 "index\s*=[\s\"]*(?<idx1>.*?)[\|\s\"\)]" | rex field=search max_match=0 "[\+\(|\+]index\%3D(?<idx2>.*?)[\+|\)\+]" | eval idx=if(isnull(idx1), idx2, idx1) | eval frequency=if(source="/opt/splunk/var/log/splunk/splunkd_access.log", "scheduled", "ad-hoc") | eval type=if(match(search, "summary*"), "summary", type1) | eval idx=if(isnull(idx), "NONE", idx) | eval end_type=if(frequency="ad-hoc", "ad-hoc", type) | rename end_type as type | table _time frequency type source user idx search | bin _time span=1h | stats count as count by _time idx user frequency type search
when running this command in hopes of capturing user activity I get an error messages indicating “The regex”field” does not extract anything. It should specify at least one name group Format(?…).
Doris,
You might want to copy the search to notepad/notepad++ first as I’ve noticed in general when trying to copy/paste searches some of the special characters don’t get copied correctly.
I copied this search to notepad++ and then copied from there to Splunk and was able to run the search