Is there an SPL search for Searches (saved or scheduled) that run in Real time? Should the all scheduled or saved searches be saved on the SH?
SearchHeadLevel - Realtime Scheduled Searches are in use
SearchHeadLevel - Realtime Search Queries in dashboards
SearchHeadLevel - Scheduled Searches without a configured earliest and latest time
Or even:
SearchHeadLevel - Dashboard refresh intervals
Might help...
Howdy sir, no. Due to only 2 of us in the Security team. It is hard to take time off at this time. Are you attending?
I'm planning to attend.
Yes, saved searches will on the SH. This search should do what you need.
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search is_scheduled=1 disabled=0
| fields dispatch.earliest_time eai:acl.owner title eai:acl.app
| rename dispatch.earliest_time as earliest_time, eai:acl.owner as Owner, eai:acl.app as App
| where (earliest_time=="rt")
| table App Owner title
Thank u. let me give it a test drive, I owe you lunch for all the help you have provided when you visit Texas. Have a safe day.
Will you be in Las Vegas for .conf21?