Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I find all scheduled searches that have a timeframe of 'All time'?

cwhelan
Explorer
‎05-16-2023 02:33 AM

I am looking to find all scheduled searches within the environment that are using a timeframe of 'All time' e.g. if a search is scheduled to run every hour and is using timeframe of 'All time', I would like to change that search to use 'Last 60 minutes' instead.

Any helpful searches would be appreciated!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2023 06:50 AM

Here is a search I use to help me find all-time searches.  It's not perfect, but definitely helps.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| search is_scheduled=1 disabled=0 
| fields dispatch.earliest_time dispatch.latest_time eai:acl.owner eai:acl.sharing search cron_schedule title eai:acl.app schedule_window
| where NOT like(title, "_ScheduledView_%")
| rex field=search "(?<base>^\|+)"
| rex field=base "earliest\s*=\s*(?<earliest>[^\|\s]+)"
| rename dispatch.earliest_time as earliest_time, dispatch.latest_time as latest_time, eai:acl.owner as Owner, eai:acl.sharing as Sharing, eai:acl.app as App
| where (earliest_time<100 AND isnull(earliest) and NOT match(base,"^\|"))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

cwhelan
Explorer
‎05-18-2023 06:28 AM

Thanks a lot guys.

Reply
Solved! Jump to solution

Taruchit
Contributor
‎05-16-2023 02:03 PM

Hi @cwhelan,

Please share if the below code helps you get the results: -

 

index=_audit search_et="N/A" search_lt="N/A" user!="splunk-system-user"
|rex "\s+savedsearch\_name=\"(?<searchName>[\w\d\_\-]*[^\"])"
|stats count BY searchName

 

Thank you

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-18-2023 01:56 PM

This query will detect ad-hoc as well as scheduled searches, but only finds those that actually ran during the search window.  It won't report on those that are scheduled to run at another time.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Taruchit
Contributor
‎05-19-2023 07:49 PM

Hi @richgalloway,

Thank you for sharing.

If I modify the rex to avoid capturing empty string for field "savedsearch_name", in your opinion does that help to solve the problem of avoiding ad-hoc searches in the result?

Thank you

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-20-2023 05:05 AM

Yes, that would help.  However, because the audit log only contains searches that have run in the time range, the query will not detect searches that are scheduled but have not yet run.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Taruchit
Contributor
‎05-25-2023 05:51 AM

Thank you for sharing your inputs.

0 Karma
Reply
Solved! Jump to solution

Taruchit
Contributor
‎05-18-2023 12:02 PM

Hi @richgalloway,

It would be very helpful if you could share your inputs/feedback on the SPL that I posted.

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-16-2023 06:50 AM

Here is a search I use to help me find all-time searches.  It's not perfect, but definitely helps.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| search is_scheduled=1 disabled=0 
| fields dispatch.earliest_time dispatch.latest_time eai:acl.owner eai:acl.sharing search cron_schedule title eai:acl.app schedule_window
| where NOT like(title, "_ScheduledView_%")
| rex field=search "(?<base>^\|+)"
| rex field=base "earliest\s*=\s*(?<earliest>[^\|\s]+)"
| rename dispatch.earliest_time as earliest_time, dispatch.latest_time as latest_time, eai:acl.owner as Owner, eai:acl.sharing as Sharing, eai:acl.app as App
| where (earliest_time<100 AND isnull(earliest) and NOT match(base,"^\|"))
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

cwhelan
Explorer
‎05-19-2023 12:48 AM

@richgalloway By any chance, is it possible to find how much space on disk a search used? e.g. some users are running ad-hoc searches that frequently exceed 10GB in disk size.

I tried editing Taruchit's search but couldn't find any fields in _audit relating to search size on disk.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-22-2023 11:08 AM

The only place I've found disk usage information is in the Job Inspector.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...