Reporting
Highlighted

how to search for all the names of savedsearches associated with my app

Communicator

How do you search for all the names/definition of saved-searches local to an (my) app?

I'm trying to create a help-screen (dashboard/view) with the following panels:

For a list of all tags, I use the search:

index=myapp | tags outputfield=name | top name | sort + name

For a list of all eventtypes, I use the search:

index=myapp | top eventtype | sort + eventtype

but for saved-search list, I'm not sure what the search should be??

any ideas?

Tags (1)
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Motivator

app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:

index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name

View solution in original post

Highlighted

Re: how to search for all the names of savedsearches associated with my app

Motivator

and actually for index it depend on what stats you looking :
_internal: This index includes internal logs and metrics from Splunk's processors.

_audit: Events from the file system change monitor, auditing, and all user search history

0 Karma
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Communicator

this shows me the scheduled saved searches... is there a way to show ALL saved searches?

0 Karma
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Communicator

also, I'm not sure how much the _audit index will help in this case, because I will be installing an app with this view; and all associated savedsearches.conf - which means there isn't going to be any change monitoring affect when can be displayed in the _audit logs...

or am i mistaken?

0 Karma
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Communicator

ok, i've tried this search on the _audit log as well... and the issue being _audit logs seem to have a pretty short retention rate. Unless the savedsearch is ran at least once in the very near present, it wouldn't show up in the top-table...

any more ideas?

much appreciated

0 Karma

Re: how to search for all the names of savedsearches associated with my app

Motivator

this is not clear what exactly you want to see? top on last hour,last 24 hour?stats on last hour,last 24 hour? you want the usage or performance?

or do you want just the list of your saved searches? In this last case as we looking at log any search not in the log,or no showing in the timespan specified will not be seen...
And if you want only the list ,the only idea i am thinking of is indexing the savedsearches.conf and extracting the search name...

0 Karma
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Communicator

great. this is exactly what i am looking for... how do i index the savedsearches.conf file without actually putting it into the index as an input?

0 Karma
Highlighted

Re: how to search for all the names of savedsearches associated with my app

Splunk Employee
Splunk Employee

The example here does exactly what you want: http://www.splunk.com/base/Documentation/4.2.1/Developer/HowToUseListers#EntityLinkLister

You need to use the EntityLinkLister to query the list of saved searches from the Splunk REST API endpoints. The names of saved searches are not in indexed logs, and there is no out-of-the-box search command that returns them (though it would not be too hard to write a custom search command that did list them out via the API).

0 Karma