Reporting

search all saved searches .conf files

sbattista09
Contributor

quick question, I want to search all saved searches .conf files for all email actions for a specific e-mail address while also showing the search name, how would i do this?

0 Karma
1 Solution

lycollicott
Motivator

Windows command line:

findstr /s /i "<search_string>" savedsearches.conf

Unix/Linux command line:

find . -name savedsearches.conf -exec grep -i "<search_string>" {} \;

View solution in original post

somesoni2
Revered Legend

Try like this (to list all)

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search action.email=1 | table title eai:acl.app action.email.to

For searches for specific email

| rest /servicesNS/-/-/saved/searches splunk_server=local  | search action.email=1 action.email.to=*emailtosearch@example.com* | table title eai:acl.app action.email.to

lycollicott
Motivator

Windows command line:

findstr /s /i "<search_string>" savedsearches.conf

Unix/Linux command line:

find . -name savedsearches.conf -exec grep -i "<search_string>" {} \;

twinspop
Influencer

Use the GUI. Searches and Reports will show you matches for email addresses within scheduled searches.

Or on the CLI, you could use btool and some grep'ing:

splunk btool savedsearches list | egrep -r "^\[|youremailaddress@email.com"

This will show you each saved search stanza opening, followed by a line with the matching email if it's there.

sbattista09
Contributor

i want it to show the search/alert name and who it e-mails. i am getting verbose results with this one.

0 Karma

twinspop
Influencer

Right. It shows all scheduled search names, but only those with emails will have a second line:

[somesearch]
action.email.to = youremail@email.com
[another_search]
[yetanother]
0 Karma

ddrillic
Ultra Champion

On the file system something like - find . -name "searches.conf" | xargs grep -i <e-mail address>

skoelpin
SplunkTrust
SplunkTrust

Try this

| rest /servicesNS/-/-/saved/searches/ | where is_scheduled=1 AND 'action.email'=1 | table eai:acl.app title

0 Karma

sbattista09
Contributor

seems like it is not showing all the alerts in the saved searches .conf file. and it is not showing the e-mail actions.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...