Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I write a Rest Query to fetch all unsaved searches along with userid ( optional )

splunkfriend123
Engager
‎06-27-2022 07:25 AM

Hi Team,

While exploring Splunk documentation and few scenarios ,

noticed that there is Rest approach to extract  saved one. 

But i would like to extract unsaved ( adhoc ) searches performed to understand patterns and load

1. Unsaved searches performed on given index or all indexes along with the query used. 

I found below threads which can be used to fetch saved searches 

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-ap... 

https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-with...

Is there any Rest based query which can be used for extracting to find adhoc searches performed on splunk to understand load patterns.

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 11:41 AM

I'm not aware of a REST command for that specific use case, but you can use REST to run a search for unsaved (ad-hoc) searches.  Start with this search

index=_audit source=audittrail sourcetype=audittrail action=search savedsearch_name=""

Finding searches against a specific index is challenging.  Index names may or may not be specified in the query text.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunkfriend123
Engager
‎06-28-2022 03:17 AM

Hi @richgalloway 

Thanks for your quickresponse.

Currently i am looking for Rest based query.

With below query i am able to find saved searches , not sure how to tweak below query to cater my need to fetch unsaved / adhoc searches performed. 

Query to fetch saved searches : 

| rest /servicesNS/-/-/saved/searches splunk_server=local 

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-ap...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2022 05:42 AM

As I wrote earlier, there is no REST command to fetch ad-hoc searches.  You can, however, use REST to submit a new search job (using the query provided earlier) to extract ad-hoc search info from the logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2022 10:28 AM

Can you just setup MC (monitoring console) and use it to see those searches? 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...