topic Automatically create custom saved searches upon login in Reporting

Automatically create custom saved searches upon login

pgsery — Sat, 12 Feb 2011 13:03:47 GMT

I want to create custom saved searches for users based on their search filter. I think I need to to use scripted login (i.e., pamScripted.py, dumbScripted.py, etc.) to do so. For instance, if ...Scripted.py creates a user's search filter, then create a search for each item in the filter. So a user whose search filter is host=x, host=y, host=z would get saved searches [x]..., [y]..., [z]...

I've modified dumbScripted.py to insert saved searches into my savedsearches.conf, but this requires restarting splunk to activate the searches. Alternatively, it might be reasonable to have the script launch "splunk add saved-search ..." but I haven't been able to make it work on a per-user basis. Any suggestions?

Re: Automatically create custom saved searches upon login

gkanapathy — Sun, 13 Feb 2011 07:05:30 GMT

I guess I'd be interested in understanding why you'd want separate saved searches for each user, rather than have the filters do the work. The most effective way to do what you narrowly want is to create the search via a REST API call, but I'm not sure that overall this is necessarily the right approach in the first place.

Re: Automatically create custom saved searches upon login

pgsery — Sun, 13 Feb 2011 10:47:42 GMT

I want to provide our user with a simple way to perform their required log reviews. If they all need to look for certain events, they'll end up creating the same saved searches to perform the job and email the results. I'd rather create the common searches automatically and save everyone the manual and repetitious effort.

Re: Automatically create custom saved searches upon login

gkanapathy — Tue, 15 Feb 2011 02:35:29 GMT

i suppose my question is why you'd need to create different ones for each user.

Re: Automatically create custom saved searches upon login

pgsery — Tue, 15 Feb 2011 07:31:35 GMT

We allow user A to see logs from machines 1, 3 & 9, and user B machines 2, 3, & 4. We want user A to monitor errors on 1,3 & 9; likewise B monitors 2,3 & 4.

We could teach A and B how to perform the search for each machine and instruct them save the search to simplify their job. However, we have hundreds of users and would prefer to automate the process one way or the other. Creating savedsearches at login seems like an obvious way, but perhaps there's another. I'm also looking at adding the above search to our app and linking the specific machines to the search within the app.

Re: Automatically create custom saved searches upon login

gkanapathy — Tue, 15 Feb 2011 08:20:51 GMT

If you already have this logic coded into the search filter, it should be unnecessary to create different saved searches, since the search filter applies to all searches run by that user.

Re: Automatically create custom saved searches upon login

pgsery — Wed, 23 Feb 2011 12:53:47 GMT

Could you give an example?

Re: Automatically create custom saved searches upon login

pgsery — Mon, 07 Mar 2011 02:34:12 GMT

I solved the problem by creating a drop-down menu allowing the user to choose a host (and time-range). The selected host is plugged into a pipeline that feeds an arbitrary filter.

Hosts: myhosts | metadata type=hosts True main host host myhosts stringreplace True host= $target$ $host$ | head sourcetype_setting stringreplace True sourcetype= $target$ 24h False Submit flashtimeline