Reporting

Is it possible to determine the last time a saved search was executed?

Communicator

I am looking to audit the non-scheduled saved searches that users have created, is there a way to obtain the last run time of each saved search?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee
index="_internal" (sourcetype="splunk_web_service" view "loading saved search") 
OR (sourcetype=splunkd_access "GET /servicesNS/" "/search/saved/searches") 
| rex "loading saved search \"(?<saved_search>[^\"]+)" 
| eval uri_decode = urldecode(uri) 
| rex field=uri_decode "saved\/searches\/(?<saved_search>[^\$]+)$" 
| search saved_search=* NOT saved_search="_new" 
| transaction saved_search maxspan=2s
| search sourcetype="splunk_web_service" AND sourcetype="splunkd_access" 
| stats first(user) as user last(_time) as last_run_time by saved_search 
| fieldformat last_run_time=strftime(last_run_time, "%m/%d/%Y %H:%M:%S")

Communicator

I know this query can be written better but it works 😉

audit_searchlocal | audit_rexsearch | search search_id!=scheduler_* | search search=search* search!=*_internal* search!=*_audit* | search NOT audit_search* | search NOT audittrail

HTH

0 Karma