Splunk Search

Anyone know of a way of finding the last modified date/time of a saved search/report in Splunk?

zindain24
Path Finder

I have an audit request to show the last time a report was modified.

Thanks,
Jeremy

Tags (1)
0 Karma
1 Solution

MuS
Legend

Hi zindain24,

How about this:

index="_internal" (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") file!="notify"
| table _time clientip user file | rename file AS saved_search

This will create a table containing time, clientip, user and the saved_search name.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi zindain24,

How about this:

index="_internal" (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") file!="notify"
| table _time clientip user file | rename file AS saved_search

This will create a table containing time, clientip, user and the saved_search name.

Hope this helps ...

cheers, MuS

MuS
Legend

Just a small update on this, based on some background discussion with @martin_mueller:

  • the sourcetype could also be splunkd_ui_access
  • set up processes for modifying production splunk, show processes are followed, done and sprinkle some git, chef, etc around
  • if someone fiddles with savedsearches.conf any other way you will not get it in _internal because it only covers REST calls

cheers, MuS

0 Karma

zindain24
Path Finder

Thanks MuS! Here is what I ended up with:

index="_internal" NOT 201 NOT 400 (sourcetype=splunkd_access "POST /servicesNS/" "/search/saved/searches") NOT notify| rex "(?enable|disable)\s" | convert ctime(_time) as time |rex "saved/searches/(?\S+?)[\/|\s]" |rex "^(?:[0-9]{1,3}.){3}[0-9]{1,3}\s-\s(?\w+)" |rex "(?\d+)ms" |table time, User, SearchName, Action, MSExecutionTime | fillnull value="modify/save" |rename MSExecutionTime AS ExecutionTime(ms)

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...