I have an odd use case, where I'd like to be able to add a field naming the saved search I happen to be executing.
I know that addinfo
gives the SID, is there any way to get the search name?
I would add an | eval insavedsearch="true"
to your scheduled search. You control the search that's executed when the scheduled time comes, so why not make use of that control?
If you have a need for the same search, minus that eval
to be available in an ad-hoc-able savedsearch, consider using a macro for the common portions, and add the eval
just to the scheduled version.
try this
index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | table savedsearch_name _time
How would you use that to get the name of the same search that is currently being run?
something like this...?
| appendpipe
[ search index="_internal" sourcetype="scheduler" user=admin sid=scheduler*
| table savedsearch_name _time| where _time = now() ]
index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | append [| rest /services/saved/searches/savedsearch_name | search is_scheduled=1] | | table savedsearch_name,title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *
or
Below rest command will help you to get all secheduled searches, to list all the searches run the second search
| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *
to know all the users and their scheduled searches.
| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | stats values(eai:acl.app) as application c by title, eai:acl.owner | fields - c
Yeah, I just want, within the search that is running, to know what its own name is, and that's a long way around the block to get there, if it gets there at all.
Did you ever find a solution for this?
It must be 'knowable' somehow, as if summary indexing is enabled, then it will have the search_name and source set to the name of the search when collected.
Below is sample saved search. I could see saved search name in the field title.
| makeresults
| eval test="testing,testing2"
| makemv test delim=","
| mvexpand test
| addinfo
| join type=left
[| rest /services/search/jobs
| table info_sid title eai:acl.app eai:acl.owner
| rename sid as info_sid, title as search ]
| join type=left search
[| rest splunk_server=local count=0 /services/saved/searches
| table title search]
you must add below search to your saved search to give you title field.
| addinfo
| join type=left
[| rest /services/search/jobs
| table info_sid title eai:acl.app eai:acl.owner
| rename sid as info_sid, title as search ]
| join type=left search
[| rest splunk_server=local count=0 /services/saved/searches
| table title search]
Thanks @thambisetty
A couple of minor mistakes in the response about info_sid, which might be worth fixing up, i.e.
| join type=left info_sid
[| rest /services/search/jobs
| table sid title eai:acl.app eai:acl.owner
| rename sid as info_sid, title as search ]
It does work, so thanks for that.
I couldn't end up using it, as I've got a slightly odd use case, where I have a saved search calling a saved search passing replaceable params to the second one and this code in the second one, then doesn't work, so although it's probably fixable with the right join data, I ended up used a macro with the name components, which follow a strict naming convention, so had the name in some form anyway.
To get the info for the serach that's running, you may try using sid
instead of time
. | addinfo
will give you the sid in the field info_sid
.
Edit: it looks like your original question already states this. Reading comprehension fail. 🙂