Reporting

how to search for all the names of savedsearches associated with my app

Communicator

How do you search for all the names/definition of saved-searches local to an (my) app?

I'm trying to create a help-screen (dashboard/view) with the following panels:

For a list of all tags, I use the search:

index=myapp | tags outputfield=name | top name | sort + name

For a list of all eventtypes, I use the search:

index=myapp | top eventtype | sort + eventtype

but for saved-search list, I'm not sure what the search should be??

any ideas?

Tags (1)
1 Solution

Motivator

app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:

index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name

View solution in original post

Splunk Employee
Splunk Employee

The example here does exactly what you want: http://www.splunk.com/base/Documentation/4.2.1/Developer/HowToUseListers#EntityLinkLister

You need to use the EntityLinkLister to query the list of saved searches from the Splunk REST API endpoints. The names of saved searches are not in indexed logs, and there is no out-of-the-box search command that returns them (though it would not be too hard to write a custom search command that did list them out via the API).

0 Karma

Motivator

app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:

index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name

View solution in original post

Communicator

great. this is exactly what i am looking for... how do i index the savedsearches.conf file without actually putting it into the index as an input?

0 Karma

Motivator

this is not clear what exactly you want to see? top on last hour,last 24 hour?stats on last hour,last 24 hour? you want the usage or performance?

or do you want just the list of your saved searches? In this last case as we looking at log any search not in the log,or no showing in the timespan specified will not be seen...
And if you want only the list ,the only idea i am thinking of is indexing the savedsearches.conf and extracting the search name...

0 Karma

Communicator

ok, i've tried this search on the _audit log as well... and the issue being _audit logs seem to have a pretty short retention rate. Unless the savedsearch is ran at least once in the very near present, it wouldn't show up in the top-table...

any more ideas?

much appreciated

0 Karma

Communicator

also, I'm not sure how much the _audit index will help in this case, because I will be installing an app with this view; and all associated savedsearches.conf - which means there isn't going to be any change monitoring affect when can be displayed in the _audit logs...

or am i mistaken?

0 Karma

Communicator

this shows me the scheduled saved searches... is there a way to show ALL saved searches?

0 Karma

Motivator

and actually for index it depend on what stats you looking :
_internal: This index includes internal logs and metrics from Splunk's processors.

_audit: Events from the file system change monitor, auditing, and all user search history

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!