Reporting

how to search for all the names of savedsearches associated with my app

klee310
Communicator

How do you search for all the names/definition of saved-searches local to an (my) app?

I'm trying to create a help-screen (dashboard/view) with the following panels:

For a list of all tags, I use the search:

index=myapp | tags outputfield=name | top name | sort + name

For a list of all eventtypes, I use the search:

index=myapp | top eventtype | sort + eventtype

but for saved-search list, I'm not sure what the search should be??

any ideas?

Tags (1)
1 Solution

MarioM
Motivator

app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:

index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

The example here does exactly what you want: http://www.splunk.com/base/Documentation/4.2.1/Developer/HowToUseListers#EntityLinkLister

You need to use the EntityLinkLister to query the list of saved searches from the Splunk REST API endpoints. The names of saved searches are not in indexed logs, and there is no out-of-the-box search command that returns them (though it would not be too hard to write a custom search command that did list them out via the API).

0 Karma

MarioM
Motivator

app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:

index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name

klee310
Communicator

great. this is exactly what i am looking for... how do i index the savedsearches.conf file without actually putting it into the index as an input?

0 Karma

MarioM
Motivator

this is not clear what exactly you want to see? top on last hour,last 24 hour?stats on last hour,last 24 hour? you want the usage or performance?

or do you want just the list of your saved searches? In this last case as we looking at log any search not in the log,or no showing in the timespan specified will not be seen...
And if you want only the list ,the only idea i am thinking of is indexing the savedsearches.conf and extracting the search name...

0 Karma

klee310
Communicator

ok, i've tried this search on the _audit log as well... and the issue being _audit logs seem to have a pretty short retention rate. Unless the savedsearch is ran at least once in the very near present, it wouldn't show up in the top-table...

any more ideas?

much appreciated

0 Karma

klee310
Communicator

also, I'm not sure how much the _audit index will help in this case, because I will be installing an app with this view; and all associated savedsearches.conf - which means there isn't going to be any change monitoring affect when can be displayed in the _audit logs...

or am i mistaken?

0 Karma

klee310
Communicator

this shows me the scheduled saved searches... is there a way to show ALL saved searches?

0 Karma

MarioM
Motivator

and actually for index it depend on what stats you looking :
_internal: This index includes internal logs and metrics from Splunk's processors.

_audit: Events from the file system change monitor, auditing, and all user search history

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...