Splunk Search

How to find all savedsearches (alerts and reports) that are scheduled and use a specific index?

Glasses2
Communicator

Hi 

I am not having much luck.

I want to find all schedule reports and alerts that use a specific index (e.g. index=foo) or the name contains a keyword (e.g. fooBar).

I tried the _audit index

 

 

index=_audit  search = *"index=foo"* OR savedsearch_name=*fooBAR* provenance=scheduler | stats  values(savedsearch_name)

 

 

 I get some of the alerts (hopefully "provenance = scheduler" means it is scheduled) but I was looking for a better way, maybe with >>  |rest 

 

 

| rest /servicesNS/-/search/saved/searches 
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index=(?<indexName>.[^\s]+)" 
| search indexName=foo

 

 

However I am not having much luck getting alerts that contain "index=foo" in the search field.

Any advice appreciated.

Thank you

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Glasses2,

you can try something like this

| rest /servicesNS/-/search/saved/searches 
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index\s*\=\s*(?<indexname>\w+)"
| search indexname="foo"
| table search

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Glasses2,

you can try something like this

| rest /servicesNS/-/search/saved/searches 
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index\s*\=\s*(?<indexname>\w+)"
| search indexname="foo"
| table search

Ciao.

Giuseppe

bowesmana
SplunkTrust
SplunkTrust

That rest call should work if you have index=foo in your data, but if you have index="foo" then it won't or if your index statement is in a macro used by the search it won't either.

The 'is_scheduled' field also exists to say if it's scheduled or not and the disabled flag 1 or 0.

 

Glasses2
Communicator

Thank you for confirming.  Do you know if 

provenance=scheduler

in the _audit logs is equivalent to is_scheduled=1 with | rest search?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I don't know - sorry

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...