Reporting

Any way to get the name of the scheduled search you are in?

SplunkTrust
SplunkTrust

I have an odd use case, where I'd like to be able to add a field naming the saved search I happen to be executing.

I know that addinfo gives the SID, is there any way to get the search name?

Tags (2)

Champion

I would add an | eval insavedsearch="true" to your scheduled search. You control the search that's executed when the scheduled time comes, so why not make use of that control?

If you have a need for the same search, minus that eval to be available in an ad-hoc-able savedsearch, consider using a macro for the common portions, and add the eval just to the scheduled version.

0 Karma

Motivator

try this

index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | table savedsearch_name _time

0 Karma

SplunkTrust
SplunkTrust

How would you use that to get the name of the same search that is currently being run?

something like this...?

 | appendpipe 
        [ search index="_internal" sourcetype="scheduler" user=admin sid=scheduler* 
        | table savedsearch_name _time| where _time = now() ]
0 Karma

Motivator

index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | append [| rest /services/saved/searches/savedsearch_name | search is_scheduled=1] | | table savedsearch_name,title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

or

Below rest command will help you to get all secheduled searches, to list all the searches run the second search

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

to know all the users and their scheduled searches.
| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | stats values(eai:acl.app) as application c by title, eai:acl.owner | fields - c

0 Karma

SplunkTrust
SplunkTrust

Yeah, I just want, within the search that is running, to know what its own name is, and that's a long way around the block to get there, if it gets there at all.

0 Karma

Influencer

@DalJeanis 

Did you ever find a solution for this?

It must be 'knowable' somehow, as if summary indexing is enabled, then it will have the search_name and source set to the name of the search when collected.

 

0 Karma

Super Champion

Below is sample saved search. I could see saved search name in the field title.

| makeresults 
| eval test="testing,testing2" 
| makemv test delim="," 
| mvexpand test 
| addinfo 
| join type=left 
    [| rest /services/search/jobs 
    | table info_sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ] 
| join type=left search 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | table title search]

 you must add below search to your saved search to give you title field.

| addinfo 
| join type=left 
    [| rest /services/search/jobs 
    | table info_sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ] 
| join type=left search 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | table title search]
————————————
If this helps, give a like below.

Influencer

Thanks @thambisetty 

A couple of minor mistakes in the response about info_sid, which might be worth fixing up, i.e.

| join type=left info_sid
    [| rest /services/search/jobs 
    | table sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ]

 It does work, so thanks for that.

I couldn't end up using it, as I've got a slightly odd use case, where I have a saved search calling a saved search passing replaceable params to the second one and this code in the second one, then doesn't work, so although it's probably fixable with the right join data, I ended up used a macro with the name components, which follow a strict naming convention, so had the name in some form anyway.

 

0 Karma

Champion

To get the info for the serach that's running, you may try using sid instead of time. | addinfo will give you the sid in the field info_sid.

Edit: it looks like your original question already states this. Reading comprehension fail. 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!