Dashboards & Visualizations

Non-admin user needs savedsearch job date in dashboard

burwell
SplunkTrust
SplunkTrust

I have non Admin users with dashboards. The base search uses a loadjob of a job that is scheduled each day to look at a day's worth of events. Other searches in the dashboard use the loadjob command. This all works well.

The scheduled job takes a long time to run and sometimes the scheduled job fails. We change the job TTL to keep the results for 3 days to keep the results.

The user wants to see the date that the scheduled job loadjob command is using. The user isn't an admin so does NOT have access to the _audit index. Is there any way for a non admin to display the job date of the latest saved search to display in a dashboard? The user wants to know which day the job results are for.

FYI

if they did they could do something like

index=_audit savedsearch_name="MySearch"  info=completed result_count>0
| eval job_start_time=strftime(exec_time,"%Y-%m-%d %H:%M:%S") 
Tags (2)
0 Karma
1 Solution

aromanauskas
Path Finder

Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.

Just use the format below as a search.

| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history

This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

View solution in original post

0 Karma

woodcock
Esteemed Legend

You can derive the runtime of any SID from the details of the SID's name. For example, I had a scheduled search with a SID of scheduler__nobody__AntiHack__RMD51be464d6e9cd1a2a_at_1576394280_17. In this case, the next-to-last segment of 1576394280 is the time that the search was run, which translates to 2019-12-15 01:18:00.

0 Karma

burwell
SplunkTrust
SplunkTrust

Thanks @woodcock so what would the search be for a non admin to get that sid with Unix date?

woodcock
Esteemed Legend

Add | addinfo | rename info_sid AS _SID | fields - info_* to every search. Then you can just do |savedsearch ... | rename _SID AS SID and go from there.

0 Karma

burwell
SplunkTrust
SplunkTrust

Thanks. I was looking for a solution that didn't involve updating each savedsearch. This is a technique I will test.

0 Karma

aromanauskas
Path Finder

Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.

Just use the format below as a search.

| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history

This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

0 Karma

burwell
SplunkTrust
SplunkTrust

Thanks! I modified this search to avoid the error about not being able to access the REST call per https://answers.splunk.com/answers/712773/error-on-overview-pane-failed-to-fetch-rest-endpoi.html

 | rest splunk_server=local /services/saved/searches/mysearch/history 
|  search isDone=1
| stats max(published) as search_date
| eval search_date=strftime(strptime(search_date,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| rename search_date AS "Search Date"
| table "Search Date"

This works.

@aromanauskas BTW if you convert to answer I can accept this answer. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...