topic Re: How can I use rex to extract the time stamp of a used search? in Splunk Search

How can I use rex to extract the time stamp of a used search?

ECovell — Mon, 29 Aug 2016 19:22:07 GMT

I am attempting to create a search that would pull information about search usage. I have an index generated off of this:

| rest /servicesNS/-/-/saved/searches splunk_server=local
| rename "eai:acl.app" AS app
| rename "eai:acl.owner" AS owner
| table title,app,owner

I have searched and cannot find a way to add a time stamp for searches.

Thanks for your help,
Ernie

Re: How can I use rex to extract the time stamp of a used search?

s2_splunk — Tue, 29 Sep 2020 10:46:48 GMT

Hi Ernie,
have you taken a look at this app yet? It may contain all the things you are trying to build, and then some.

I don't believe the REST endpoint will capture the last run time of each search, if that is what you are after. For getting that, you will have to search index=_audit similar to this (will need tweaking): index=_audit action=search savedsearch_name="*" | stats latest(_time) as LastRun by savedsearch_name | convert ctime(LastRun)

I would definitely take a look at the app mentioned above, if only to give you an idea of where to find the relevant data for your use case.

Re: How can I use rex to extract the time stamp of a used search?

ECovell — Fri, 02 Sep 2016 14:50:51 GMT

This search works really well, but all I get is the scheduled searches that populate. I run a lot of different searches manually and they do not show up in this report. Any other suggestions?

Thanks,
Ernie

Re: How can I use rex to extract the time stamp of a used search?

inventsekar — Tue, 29 Sep 2020 10:49:18 GMT

you can write a particulear user-name

index=_audit action=search user=user-name | stats latest(_time) as LastRun by user | convert ctime(LastRun)

or, for all usernames (without splunk-system-user and splunk_alert_scheduler, the saved search user accounts)

index=_audit action=search user!=splunk* | stats latest(_time) as LastRun by user | convert ctime(LastRun)

Re: How can I use rex to extract the time stamp of a used search?

s2_splunk — Fri, 02 Sep 2016 16:21:14 GMT

Sorry, your initial question suggested you are only interested in finding saved search information. You can remove savedsearch_name="*" from the search string and find a different field to group by to include all search activity, as @inventsekar points out below.

Re: How can I use rex to extract the time stamp of a used search?

ECovell — Mon, 12 Sep 2016 13:48:24 GMT

I have tried all different variations of searches, but I still get only the saved searches and not all the searches run. Is there a file that I can rip some of that info from? Is there some other search format I can try other than rest or index=audit source=audittrail?

Thanks,
Ernie

Re: How can I use rex to extract the time stamp of a used search?

ECovell — Tue, 20 Sep 2016 19:14:27 GMT

Are searches time stamped when they are initiated? If they are where is that time stamp saved, maybe I can write up a script to draw it out?

Thanks,
Ernie