topic Re: History of a saved search in Reporting

History of a saved search

peter_gianusso — Thu, 15 Nov 2012 21:34:38 GMT

Is it possible to get the history of when a saved search was executed? This will allow me to see if the cron schedule is working correctly.

Re: History of a saved search

okrabbe_splunk — Thu, 15 Nov 2012 22:09:33 GMT

Any chance you are on Splunk 5?

| history

Returns a history of searches formatted as an events list or as a table.

For 4.3 please try this:

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

Re: History of a saved search

peter_gianusso — Thu, 15 Nov 2012 22:11:34 GMT

No I am on the latest 4.x version. That shows the contents of searches.log which does not contain the name of the saved search.

Re: History of a saved search

okrabbe_splunk — Thu, 15 Nov 2012 22:17:11 GMT

Here is a search I stole from SoS.

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*) | eval search_id=if(isnull(search_id), id, search_id) | replace '*' with * in search_id | search search_id!=rt_* search_id!=searchparsetmp* | rex "search='(?<search>.*?)', autojoin" | rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

Re: History of a saved search

peter_gianusso — Thu, 15 Nov 2012 22:31:41 GMT

Error: Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side

Re: History of a saved search

okrabbe_splunk — Thu, 15 Nov 2012 22:49:35 GMT

can you please try the one I just added to the answer? I think maybe in comments the code doesn't format properly.

Re: History of a saved search

peter_gianusso — Fri, 16 Nov 2012 16:14:09 GMT

a simple approach would be to look at scheduler.log