Solved: Re: How to list saved searches

gfriedmann · ‎03-11-2011

Is it possible to search on saved search names?

I would like to be able to use splunk to query the data that is the names of my saved searches.

dwaddle · ‎03-11-2011

The names of configured saved searches are not indexed in Splunk by default. However, saved searches are stored in savedsearches.conf configuration files on the indexer. You can use Splunk's btool commmand to show you the names of saved searches and which apps they are configured in:

$ splunk cmd btool --debug savedsearches list | egrep "\["
unix       [10 Most Popular Executables Last Hour (UNIX - CPU)]
unix       [Addresses Connected To (UNIX - NET)]
search     [Admin - Splunkweb Recent Unhandled Exceptions]
search     [Admin - System Info]
unix       [Alert - syslog errors last hour]
unix       [Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [CPU Usage by Command (UNIX - CPU)]
unix       [CPU Usage by User (UNIX - CPU)]
SplunkforC [Cisco ASA Firewall - Actions Over Time - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied DEST IP - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied SRC IP - Summary]

A list of saved searches are also available in Splunk Manager.

View solution in original post

melonman · ‎07-19-2012

I was looking for the same thing, and with latest Splunk, I could do the following.

| rest /servicesNS/*USERNAME*/*APPNAME*/saved/searches | table title qualifiedSearch

I may be wrong, but wanted to share for those who will look for this in the future...

e.g. "| rest /servicesNS/admin/search/saved/searches | table title qualifiedSearch"

then I get this:

             title                                                                                                qualifiedSearch
------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Errors in the last 24 hours     search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Errors in the last hour         search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Indexing workload               search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series
Messages by minute last 3 hours search index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
Splunk errors last 24 hours     search index=_internal " error " NOT debug source=*splunkd.log*
Top five sourcetypes            search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5

sloshburch · ‎06-11-2013

For reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTlist

and

http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTsearch#saved.2Fsearches

melonman · ‎05-20-2013

For memos to myself ...

| rest /services/saved/searches | table author title qualifiedSearch

BobM · ‎08-15-2011

If you download the "Sanity Check My App!" app (written by carasso) from splunkbase, it includes a new search command entity. You can use it to tell splunk to use the rest endpoint to collect the saved searches.

| entity saved/searches namespace=myapp

_raw will contain the search name and the field "search" will have the search string.

troywollenslege · ‎05-07-2012

Cool application, I was trying to get the username of the person that created the saved search (the owner) anyone know how to do that?

BobM · ‎08-15-2011

I hadn't realized I was using a custom search command form an app I had installed. "Sanity Check My App!"
I have updated my reply above.

gkanapathy · ‎08-15-2011

I assume it's a wrapper for the SDK calls: http://dev.splunk.com/view/managing-objects-tutorial/SP-CAAADQ5

gkanapathy · ‎08-15-2011

Can you elaborate on the entity command you have used here?

dwaddle · ‎03-11-2011

The names of configured saved searches are not indexed in Splunk by default. However, saved searches are stored in savedsearches.conf configuration files on the indexer. You can use Splunk's btool commmand to show you the names of saved searches and which apps they are configured in:

$ splunk cmd btool --debug savedsearches list | egrep "\["
unix       [10 Most Popular Executables Last Hour (UNIX - CPU)]
unix       [Addresses Connected To (UNIX - NET)]
search     [Admin - Splunkweb Recent Unhandled Exceptions]
search     [Admin - System Info]
unix       [Alert - syslog errors last hour]
unix       [Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [CPU Usage by Command (UNIX - CPU)]
unix       [CPU Usage by User (UNIX - CPU)]
SplunkforC [Cisco ASA Firewall - Actions Over Time - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied DEST IP - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied SRC IP - Summary]

A list of saved searches are also available in Splunk Manager.

How to list saved searches

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation