Splunk Search

How can I extract the exact search string for modified saved searches from events in the _internal index?

New Member

Hi All,

I want to list all the saved searches which are modified (action=edit) from the logs, but the exact search string is not visible in the logs. Can some one guide me on how to approach this one?

0 Karma


I believe the search string is not logged on edit, consider using version control.

0 Karma



It might not fully answer your question but I think it's a good start if you take a look at my answers here:


It was a very long discussion on how to list saved searches and who has been and hasn't been using them in the last two months.
It contains the search string you are looking for.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...