topic Re: Rest Query to fetch all unsaved searches along with userid ( optional ) in Getting Data In

How do I write a Rest Query to fetch all unsaved searches along with userid ( optional )

splunkfriend123 — Tue, 28 Jun 2022 10:24:15 GMT

Hi Team,

While exploring Splunk documentation and few scenarios ,

noticed that there is Rest approach to extract saved one.

But i would like to extract unsaved ( adhoc ) searches performed to understand patterns and load

1. Unsaved searches performed on given index or all indexes along with the query used.

I found below threads which can be used to fetch saved searches

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-apps-using/m-p/162615

https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-without/m-p/508688

Is there any Rest based query which can be used for extracting to find adhoc searches performed on splunk to understand load patterns.

Re: Rest Query to fetch all unsaved searches along with userid ( optional )

isoutamo — Mon, 27 Jun 2022 17:28:43 GMT

Can you just setup MC (monitoring console) and use it to see those searches?

Re: Rest Query to fetch all unsaved searches along with userid ( optional )

richgalloway — Mon, 27 Jun 2022 18:41:21 GMT

I'm not aware of a REST command for that specific use case, but you can use REST to run a search for unsaved (ad-hoc) searches. Start with this search

index=_audit source=audittrail sourcetype=audittrail action=search savedsearch_name=""

Finding searches against a specific index is challenging. Index names may or may not be specified in the query text.

Re: Rest Query to fetch all unsaved searches along with userid ( optional )

splunkfriend123 — Tue, 28 Jun 2022 10:17:03 GMT

Hi @richgalloway

Thanks for your quickresponse.

Currently i am looking for Rest based query.

With below query i am able to find saved searches , not sure how to tweak below query to cater my need to fetch unsaved / adhoc searches performed.

Query to fetch saved searches :

| rest /servicesNS/-/-/saved/searches splunk_server=local

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-apps-using/m-p/162615

Re: Rest Query to fetch all unsaved searches along with userid ( optional )

richgalloway — Tue, 28 Jun 2022 12:42:48 GMT

As I wrote earlier, there is no REST command to fetch ad-hoc searches. You can, however, use REST to submit a new search job (using the query provided earlier) to extract ad-hoc search info from the logs.