Get Saved search name details

rosh_dsa · ‎10-18-2019

How do I get a list of saved searches name, the user who ran it, the last time it ran and the query it ran, and who created the search ?

I have looked at a couple of queries like, but can't get the creator :-

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

rosh_dsa · ‎10-21-2019

Thank you.
Does the sourcetype=scheduler gather all Searches ie. "Scheduled" searches and "Saved" searches (which have not been scheduled) ?

renjith_nair · ‎10-18-2019

@rosh_dsa,

Try this

index=_internal sourcetype=scheduler savedsearch_name=*
|stats latest(scheduled_time) as last_run,latest(user) as run_user by savedsearch_name
|append [ | rest /services/saved/searches search="is_scheduled=1"|fields title,search,author|rename title as savedsearch_name]
|stats values(*) as * by  savedsearch_name|convert ctime(last_run) as last_run

Happy Splunking!

rosh_dsa · ‎10-21-2019

Thank you.
Does the sourcetype=scheduler get all searches i.e. "Saved" searches that have not been scheduled but have been run adhoc ?

Get Saved search name details

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes