https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603245#M209937 <P>It's a question that pops up quite frequently (auditing index accesses). Might be worth creating an idea on <A href="https://ideas.splunk.com/" target="_blank">https://ideas.splunk.com/</A> or supporting existing one if someone already made one.</P> Sat, 25 Jun 2022 08:50:42 GMT PickleRick 2022-06-25T08:50:42Z https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603171#M209914 <P>Hi Team,</P><P>&nbsp;</P><P>Is there any way to use REST syntax and retrieve the following.</P><P>1. Rest Query to retrieve all unique searches performed on a given index and count no of times it was searched</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Jun 2022 14:28:25 GMT https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603171#M209914 splunkfriend123 2022-06-24T14:28:25Z https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603173#M209915 <P>There is no REST command that does all that.&nbsp; You can use REST to search the audit log for all searches, but it won't be by index.</P><P>It's possible to parse the search strings to extract index names, but that's not perfect since index names may not be specified in the query itself.&nbsp; They may be in a macro or an eventtype or in the user's default indexes.</P> Fri, 24 Jun 2022 14:43:14 GMT https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603173#M209915 richgalloway 2022-06-24T14:43:14Z https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603235#M209932 <P><SPAN>for _internal index for example:<BR /><BR />|&nbsp;rest&nbsp;/services/saved/searches&nbsp;splunk_server=local&nbsp;count=0</SPAN><BR /><SPAN>|&nbsp;search&nbsp;cron_schedule!="*&nbsp;*"&nbsp;AND&nbsp;search="*index=_internal*"<BR /><BR />when there is no cron schedule for a saved search, it cant execute .</SPAN></P> Sat, 25 Jun 2022 05:39:42 GMT https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603235#M209932 marysan 2022-06-25T05:39:42Z https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603243#M209935 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/246600">@splunkfriend123</a>&nbsp;there is no way to find the unique searches using REST command.</P><P>you could run the below search on audit index to get the details of adhoc, api and any scheduled searches.</P><P>index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1&nbsp;</P> Sat, 25 Jun 2022 08:06:03 GMT https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603243#M209935 Roy_9 2022-06-25T08:06:03Z https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603245#M209937 <P>It's a question that pops up quite frequently (auditing index accesses). Might be worth creating an idea on <A href="https://ideas.splunk.com/" target="_blank">https://ideas.splunk.com/</A> or supporting existing one if someone already made one.</P> Sat, 25 Jun 2022 08:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Rest-Query-to-find-out-query-along-with-no-of-execution-times/m-p/603245#M209937 PickleRick 2022-06-25T08:50:42Z