Solved: How can I find all scheduled searches that have a ...

cwhelan · ‎05-16-2023

I am looking to find all scheduled searches within the environment that are using a timeframe of 'All time' e.g. if a search is scheduled to run every hour and is using timeframe of 'All time', I would like to change that search to use 'Last 60 minutes' instead.

Any helpful searches would be appreciated!

richgalloway · ‎05-16-2023

Here is a search I use to help me find all-time searches. It's not perfect, but definitely helps.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| search is_scheduled=1 disabled=0 
| fields dispatch.earliest_time dispatch.latest_time eai:acl.owner eai:acl.sharing search cron_schedule title eai:acl.app schedule_window
| where NOT like(title, "_ScheduledView_%")
| rex field=search "(?<base>^\|+)"
| rex field=base "earliest\s*=\s*(?<earliest>[^\|\s]+)"
| rename dispatch.earliest_time as earliest_time, dispatch.latest_time as latest_time, eai:acl.owner as Owner, eai:acl.sharing as Sharing, eai:acl.app as App
| where (earliest_time<100 AND isnull(earliest) and NOT match(base,"^\|"))

---
If this reply helps you, Karma would be appreciated.

View solution in original post

cwhelan · ‎05-18-2023

Thanks a lot guys.

Taruchit · ‎05-16-2023

Hi @cwhelan,

Please share if the below code helps you get the results: -

index=_audit search_et="N/A" search_lt="N/A" user!="splunk-system-user"
|rex "\s+savedsearch\_name=\"(?<searchName>[\w\d\_\-]*[^\"])"
|stats count BY searchName

Thank you

richgalloway · ‎05-18-2023

This query will detect ad-hoc as well as scheduled searches, but only finds those that actually ran during the search window. It won't report on those that are scheduled to run at another time.

---
If this reply helps you, Karma would be appreciated.

Taruchit · ‎05-19-2023

Hi @richgalloway,

Thank you for sharing.

If I modify the rex to avoid capturing empty string for field "savedsearch_name", in your opinion does that help to solve the problem of avoiding ad-hoc searches in the result?

Thank you

richgalloway · ‎05-20-2023

Yes, that would help. However, because the audit log only contains searches that have run in the time range, the query will not detect searches that are scheduled but have not yet run.

---
If this reply helps you, Karma would be appreciated.

Taruchit · ‎05-25-2023

Thank you for sharing your inputs.

Taruchit · ‎05-18-2023

Hi @richgalloway,

It would be very helpful if you could share your inputs/feedback on the SPL that I posted.

Thank you

richgalloway · ‎05-16-2023

Here is a search I use to help me find all-time searches. It's not perfect, but definitely helps.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| search is_scheduled=1 disabled=0 
| fields dispatch.earliest_time dispatch.latest_time eai:acl.owner eai:acl.sharing search cron_schedule title eai:acl.app schedule_window
| where NOT like(title, "_ScheduledView_%")
| rex field=search "(?<base>^\|+)"
| rex field=base "earliest\s*=\s*(?<earliest>[^\|\s]+)"
| rename dispatch.earliest_time as earliest_time, dispatch.latest_time as latest_time, eai:acl.owner as Owner, eai:acl.sharing as Sharing, eai:acl.app as App
| where (earliest_time<100 AND isnull(earliest) and NOT match(base,"^\|"))

---
If this reply helps you, Karma would be appreciated.

cwhelan · ‎05-19-2023

@richgalloway By any chance, is it possible to find how much space on disk a search used? e.g. some users are running ad-hoc searches that frequently exceed 10GB in disk size.

I tried editing Taruchit's search but couldn't find any fields in _audit relating to search size on disk.

richgalloway · ‎05-22-2023

The only place I've found disk usage information is in the Job Inspector.

---
If this reply helps you, Karma would be appreciated.

How can I find all scheduled searches that have a timeframe of 'All time'?

table

tstats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!