Splunk Knowledge Object Reporting

sh1pit76 · ‎01-09-2020

This might be an easy question for some of you splunk ninjas out there. I'm trying to create a report to show all our instances saved searches with their descriptions and search syntax, listed by app. However, due to the inconsistencies between the lines required to show the title, description, and search syntax of each search, they don't line up with one another in the final report. Is there a way to display this info in such a way that it's still broken down by App, but with the title, description, and search info aligned with each title in the results?

This is the synax I'm using:

| union maxtime=300 timeout=300
[| rest splunk_server="local" "/servicesNS/-/-/saved/searches"
| eval type="Saved Searches/Alerts/Reports"]
| stats list(title) as Title, list(description) as Description, list(search) as Search by eai:acl.app
| rename eai:acl.app as App

martin_mueller · ‎01-09-2020

You can do a stats by app title, giving you one line per search but still a grouping by app first. This will ensure that even very long titles or descriptions don't mess up your alignment.

Splunk Knowledge Object Reporting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation

Splunk Knowledge Object Reporting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!