Re: query to monitor new inputs

sarit_s · ‎02-14-2022

Hello

I want to monitor if user run new search in our environment or created new alert
i tried to use this query :

|rest /services/saved/searches | search action.email.to=* OR action.email.to=*  | where  disabled=0  | table title , search , updated

the problem is that there is no time field in order to compare the 'updated' value with time to know if there is something new.

is there any other way to check new entries ?

ITWhisperer · ‎02-14-2022

The updated field gives you the time it was updated - can you compare that to now()?

sarit_s · ‎02-14-2022

does

|rest /services/saved/searches

returns only saved searches or also real time searches ?

isoutamo · ‎02-14-2022

Hi

I think that you should use REST Endpoint

| rest /servicesNS/-/-/saved/searches

to get all users saved searches from all apps. With your original you didn't get those.

I think that you get only alerts/reports etc. which are stored into savedsearches.conf not those which users are currently running as add hoc. But best to check it unless someone can confirm this.

To check if there are any new savedsearches which has modified you must generate lookup where you stored those modified times and then check if that differs now.

r. Ismo

ITWhisperer · ‎02-14-2022

Tom West does a good presentation on Dashboarding Wowzas at BSides (BSides Splunk Conference) and other places where he presents version control for dashboards. This could easily be modified to deal with searches.

How to query to monitor new inputs

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life