Splunk Search

Get Saved search name details

rosh_dsa
New Member

How do I get a list of saved searches name, the user who ran it, the last time it ran and the query it ran, and who created the search ?

I have looked at a couple of queries like, but can't get the creator :-

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

Tags (1)
0 Karma

rosh_dsa
New Member

Thank you.
Does the sourcetype=scheduler gather all Searches ie. "Scheduled" searches and "Saved" searches (which have not been scheduled) ?

0 Karma

renjith_nair
Legend

@rosh_dsa,

Try this

index=_internal sourcetype=scheduler savedsearch_name=*
|stats latest(scheduled_time) as last_run,latest(user) as run_user by savedsearch_name
|append [ | rest /services/saved/searches search="is_scheduled=1"|fields title,search,author|rename title as savedsearch_name]
|stats values(*) as * by  savedsearch_name|convert ctime(last_run) as last_run
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

rosh_dsa
New Member

Thank you.
Does the sourcetype=scheduler get all searches i.e. "Saved" searches that have not been scheduled but have been run adhoc ?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...