Splunk Search

Get Saved search name details

rosh_dsa
New Member

How do I get a list of saved searches name, the user who ran it, the last time it ran and the query it ran, and who created the search ?

I have looked at a couple of queries like, but can't get the creator :-

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

Tags (1)
0 Karma

rosh_dsa
New Member

Thank you.
Does the sourcetype=scheduler gather all Searches ie. "Scheduled" searches and "Saved" searches (which have not been scheduled) ?

0 Karma

renjith_nair
Legend

@rosh_dsa,

Try this

index=_internal sourcetype=scheduler savedsearch_name=*
|stats latest(scheduled_time) as last_run,latest(user) as run_user by savedsearch_name
|append [ | rest /services/saved/searches search="is_scheduled=1"|fields title,search,author|rename title as savedsearch_name]
|stats values(*) as * by  savedsearch_name|convert ctime(last_run) as last_run
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

rosh_dsa
New Member

Thank you.
Does the sourcetype=scheduler get all searches i.e. "Saved" searches that have not been scheduled but have been run adhoc ?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...