How do you search for all the names/definition of saved-searches local to an (my) app?
I'm trying to create a help-screen (dashboard/view) with the following panels:
For a list of all tags, I use the search:
index=myapp | tags outputfield=name | top name | sort + name
For a list of all eventtypes, I use the search:
index=myapp | top eventtype | sort + eventtype
but for saved-search list, I'm not sure what the search should be??
app and savedsearch_name are fields in index _internal then something like this will give you the list of saved searches:
index="_internal" app="myapp" | top savedsearch_name | sort + savedsearch_name
and actually for index it depend on what stats you looking :
_internal: This index includes internal logs and metrics from Splunk's processors.
_audit: Events from the file system change monitor, auditing, and all user search history
this shows me the scheduled saved searches... is there a way to show ALL saved searches?
also, I'm not sure how much the _audit index will help in this case, because I will be installing an app with this view; and all associated savedsearches.conf - which means there isn't going to be any change monitoring affect when can be displayed in the _audit logs...
or am i mistaken?
ok, i've tried this search on the _audit log as well... and the issue being _audit logs seem to have a pretty short retention rate. Unless the savedsearch is ran at least once in the very near present, it wouldn't show up in the top-table...
any more ideas?
this is not clear what exactly you want to see? top on last hour,last 24 hour?stats on last hour,last 24 hour? you want the usage or performance?
or do you want just the list of your saved searches? In this last case as we looking at log any search not in the log,or no showing in the timespan specified will not be seen...
And if you want only the list ,the only idea i am thinking of is indexing the savedsearches.conf and extracting the search name...
great. this is exactly what i am looking for... how do i index the savedsearches.conf file without actually putting it into the index as an input?
The example here does exactly what you want: http://www.splunk.com/base/Documentation/4.2.1/Developer/HowToUseListers#EntityLinkLister
You need to use the EntityLinkLister to query the list of saved searches from the Splunk REST API endpoints. The names of saved searches are not in indexed logs, and there is no out-of-the-box search command that returns them (though it would not be too hard to write a custom search command that did list them out via the API).