Reporting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

History of a saved search

peter_gianusso
Communicator
‎11-15-2012 01:34 PM

Is it possible to get the history of when a saved search was executed? This will allow me to see if the cron schedule is working correctly.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:09 PM

Any chance you are on Splunk 5?

| history

Returns a history of searches formatted as an events list or as a table.

For 4.3 please try this:

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

View solution in original post

Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-16-2012 08:14 AM

a simple approach would be to look at scheduler.log

0 Karma
Reply
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:09 PM

Any chance you are on Splunk 5?

| history

Returns a history of searches formatted as an events list or as a table.

For 4.3 please try this:

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:49 PM

can you please try the one I just added to the answer? I think maybe in comments the code doesn't format properly.

0 Karma
Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-15-2012 02:31 PM

Error: Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side

0 Karma
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:17 PM

Here is a search I stole from SoS.

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-15-2012 02:11 PM

No I am on the latest 4.x version. That shows the contents of searches.log which does not contain the name of the saved search.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top