I am looking to audit the non-scheduled saved searches that users have created, is there a way to obtain the last run time of each saved search?
index="_internal" (sourcetype="splunk_web_service" view "loading saved search")
OR (sourcetype=splunkd_access "GET /servicesNS/" "/search/saved/searches")
| rex "loading saved search \"(?<saved_search>[^\"]+)"
| eval uri_decode = urldecode(uri)
| rex field=uri_decode "saved\/searches\/(?<saved_search>[^\$]+)$"
| search saved_search=* NOT saved_search="_new"
| transaction saved_search maxspan=2s
| search sourcetype="splunk_web_service" AND sourcetype="splunkd_access"
| stats first(user) as user last(_time) as last_run_time by saved_search
| fieldformat last_run_time=strftime(last_run_time, "%m/%d/%Y %H:%M:%S")
I know this query can be written better but it works 😉
audit_searchlocal | audit_rexsearch | search search_id!=scheduler_* | search search=search* search!=*_internal* search!=*_audit* | search NOT audit_search* | search NOT audittrail