Search for triggered save searches and their actions titles and users: Need help with subsearch

NanSplk01 — Tue, 04 Feb 2025 17:51:49 GMT

I want to use the 2nd search as a subsearch only bringing back the actions. How can I do this?

SEARCH
| rest /servicesNS/-/-/saved/searches
| search title=kafka*
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")
| eval identifierDate=now()
| convert ctime(identifierDate) AS identifierDate
| table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo
| fillnull value=""
| sort -lastUpdated

SUBSEARCH
| rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=*
| search disabled=0
| eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user), app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect"))
| rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)"
| rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)"
| eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename')
| rex field=description mode=sed "s/^\\s+//g"
| eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0)
| fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action
| eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch")
| where is_alert==1
| eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0)
| where splunk_default_app=0
| fields - splunk_server, splunk_default_app
| search title=*kafka*
| table actions title user

Re: Search for triggered save searches and their actions titles and users: Need help with subsearch

tej57 — Thu, 19 Jun 2025 11:35:08 GMT

Hello @NanSplk01,

If it is only the actions field that you're interested in the subsearch, you don't need to perform all of the other operations. But since you're using splunk_server=* in the second search, here's something that might help you.

| rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo | fillnull value="" | sort -lastUpdated | join type=left title [ | rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 AND title="kafka*" | fields title actions splunk_server | stats values(actions) as actions by title splunk_server]

Let me know if this helps your use case.

Thanks,
Tejas.

---
If the solution works, an upvote is appreciated..!!

topic Re: Search for triggered save searches and their actions titles and users: Need help with subsearch in Splunk Search

Search for triggered save searches and their actions titles and users: Need help with subsearch

Re: Search for triggered save searches and their actions titles and users: Need help with subsearch