Splunk Cloud Platform

How to get saved searches from ES SH?

splunk_luis12
Path Finder

Hi folks,

I'm trying to get all saved searches from my SHC and ES SH running the following SPL, but I'm unable to see the ones from my ES SH (the SPL is being run on the SHC).

| rest /servicesNS/-/-/saved/searches

When running the SPL appears the following message: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

The I tried running the following SPL and the message disappeared, however, I'm not able to see the saved searches from my ES SH.:

| rest splunk_server=local /servicesNS/-/-/saved/searches

 

Any idea about this? Is this because of the missing capability? Am I restricted to make this search?

 

Thanks in advance.

Labels (3)
0 Karma
1 Solution

johnhuang
Motivator

Setup a schedule job to save the data into a summary index. You can limit the fields being saved to your needs.

| rest splunk_server="local" "/servicesNS/-/-/saved/searches" 
| search NOT search="| noop"
| fields - type "*append *"
| eval _time=now(), event_type="saved_searches", search_head="ES_SH"
| foreach search qualifiedSearch [| eval "<<FIELD>>"=replace(<<FIELD>>,"\n", ";;;") | eval "<<FIELD>>"=replace(<<FIELD>>,"\"", "!!!")]
| table _time event_type search_head *
| collect index="<summary_indexname>" source="splunk_saved_searches_backup" sourcetype="stash"


To query the saved report:

index="<summary_indexname>" source="splunk_saved_searches_backup" sourcetype="stash"
| dedup id
| foreach search qualifiedSearch [| rex field="<<FIELD>>" mode=sed "s/;;;/\n/g" | eval "<<FIELD>>"=replace(<<FIELD>>,"!!!", "\"") | eval "<<FIELD>>"=replace(<<FIELD>>,"\\\\\\\\", "\\\\")]
| table _time event_type search_head *

 

View solution in original post

splunk_luis12
Path Finder

@johnhuang I'm a bit of a novice at this. What can be an example of a query that I should execute from the SHC to see that data from the ES SH in that summary index?

0 Karma

johnhuang
Motivator

Setup a schedule job to save the data into a summary index. You can limit the fields being saved to your needs.

| rest splunk_server="local" "/servicesNS/-/-/saved/searches" 
| search NOT search="| noop"
| fields - type "*append *"
| eval _time=now(), event_type="saved_searches", search_head="ES_SH"
| foreach search qualifiedSearch [| eval "<<FIELD>>"=replace(<<FIELD>>,"\n", ";;;") | eval "<<FIELD>>"=replace(<<FIELD>>,"\"", "!!!")]
| table _time event_type search_head *
| collect index="<summary_indexname>" source="splunk_saved_searches_backup" sourcetype="stash"


To query the saved report:

index="<summary_indexname>" source="splunk_saved_searches_backup" sourcetype="stash"
| dedup id
| foreach search qualifiedSearch [| rex field="<<FIELD>>" mode=sed "s/;;;/\n/g" | eval "<<FIELD>>"=replace(<<FIELD>>,"!!!", "\"") | eval "<<FIELD>>"=replace(<<FIELD>>,"\\\\\\\\", "\\\\")]
| table _time event_type search_head *

 

johnhuang
Motivator

You will have to run the search on your ES search head. There's no easy way to access rest services of another search head.

splunk_luis12
Path Finder

Hi @johnhuang What about if I create a summary index with that data on the ES SH and I try to search it from the SHC? is that possible?

0 Karma

johnhuang
Motivator

@splunk_luis12 yes that will work. A benefit of storing a copy of your saved searches in summary index is you now have a backup. 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...