Update savedsearches.conf

default/savedsearches.conf

@@ -4628,7 +4628,7 @@ request.ui_dispatch_view = search
 search = | multisearch \
     [ search `comment("Last modified 2022-02-14 Attempt to extract out which indexes are accessed per search query by any search and compute statistics on them. The multisearch is only required if you want to capture sub-searches from join, append or similar, these require a bit more work so that's why the multisearch is there, in fact anything containing one of those keywords is dealt with in the second search, not this one...")` \
     `comment("Note that the regexes need more work, for now, limits.conf [rex] match_limit = 1000000 is my workaround (main issue is the union/set/multisearch rex)")` \
-        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" scan_count>0 \
+        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" search_id!="'ta_*" search_id!="'RemoteStorageRetrieveIndexes*" scan_count>0 \
     | rex "(?s), search='(?P<search>.*)\]$" \
     | search `comment("Removed due to excess matching, modern splunk versions appear to match search= more accurately | rex \"(?s)^(?:[^'\n]*'){4},\s+\w+='(?P<search>[\s\S]+)'\]($|\[[^\]]+\]$)\"")` \
     | rex field=search mode=sed "s/\n/ /g" \
@@ -4657,7 +4657,7 @@ search = | multisearch \
     | rex field=search mode=sed "s/```.*?```/ /g" \
     | rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))" ] \
     [ search `comment("Attempt to extract out which indexes are accessed per search query by any search and compute statistics on them. This search works on searches with an append/multisearch or other command that has a slightly different regex requirement. Note had to nomv the multivalued field before concatenation or it sliently disappeared!")` \
-        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" scan_count>0 \
+        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" search_id!="'ta_*" search_id!="'RemoteStorageRetrieveIndexes*" scan_count>0 \
     | rex "(?s), search='(?P<search>.*)\]$" \
     | search `comment("Removed due to excess matching, modern splunk versions appear to match search= more accurately | rex \"(?s)^(?:[^'\n]*'){4},\s+\w+='(?P<search>[\s\S]+)'\]($|\[[^\]]+\]$)\"")` \
     | rex field=search mode=sed "s/\n/ /g"\
@@ -4735,7 +4735,7 @@ request.ui_dispatch_view = search
 search = | multisearch \
     [ search `comment("Last modified 2022-02-14 Attempt to extract out which indexes are accessed per search query by any search and compute statistics on them. The multisearch is only required if you want to capture sub-searches from join, append or similar, these require a bit more work so that's why the multisearch is there, in fact anything containing one of those keywords is dealt with in the second search, not this one...")` \
     `comment("Note that the regexes need more work, for now, limits.conf [rex] match_limit = 1000000 is my workaround (main issue is the union/set/multisearch rex)")` \
-        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" scan_count>0 \
+        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" search_id!="'ta_*" search_id!="'RemoteStorageRetrieveIndexes*" scan_count>0 \
     | rex "(?s), search='(?P<search>.*)\]$" \
     | search `comment("Removed due to excess matching, modern splunk versions appear to match search= more accurately | rex \"(?s)^(?:[^'\n]*'){4},\s+\w+='(?P<search>[\s\S]+)'\]($|\[[^\]]+\]$)\"")` \
     | rex field=search mode=sed "s/\n/ /g"\
@@ -4764,7 +4764,7 @@ search = | multisearch \
     | rex field=search mode=sed "s/```.*?```/ /g" \
     | rex field=search "(?s)^(?P<prepipe>\s*\|?([^\|]+))" ] \
     [ search `comment("Attempt to extract out which indexes are accessed per search query by any search and compute statistics on them. This search works on searches with an append/multisearch or other command that has a slightly different regex requirement. Note had to nomv the multivalued field before concatenation or it sliently disappeared!")` \
-        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" scan_count>0 \
+        index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" search_id!="'ta_*" search_id!="'RemoteStorageRetrieveIndexes*" scan_count>0 \
     | rex "(?s), search='(?P<search>.*)\]$" \
     | search `comment("Removed due to excess matching, modern splunk versions appear to match search= more accurately | rex \"(?s)^(?:[^'\n]*'){4},\s+\w+='(?P<search>[\s\S]+)'\]($|\[[^\]]+\]$)\"")` \
     | rex field=search mode=sed "s/\n/ /g"\