Splunk Enterprise Security

Pleas help with an SPL to find the reason for saved / skipped searches in ES.

SamHTexas
Builder

I have MC on the ES & tried my SPLs but need your help please. I need to find the apps, name of skipped searches & why the searches were skipped? Thank u in advance.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It should be in the MC already, but maybe this will help you.

index=_internal host=* sourcetype=scheduler status="skipped" 
| stats count(savedsearch_name) as "Total Skipped" by app search_type reason savedsearch_name 
| sort - "Total Skipped" 
---
If this reply helps you, an upvote would be appreciated.
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!