Splunk Search

List of saved/in-line searches within a view

SarahBOA
Path Finder

I would like to get a table which has a column containing my views and then another column which contains the saved/in-line searches that are used in each view. I would like to be able to do the reverse as well; get a list of saved searches and see what views they are used in. I can get a list of the saved searches using the REST API, is there anyway to get the views? and if so, can I get the xml from the views? Is this something that I will need to write a bash script in order to do?

Thanks,
Sarah

1 Solution

sideview
SplunkTrust
SplunkTrust

Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:

| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+(?[^<]+)?" | stats values(saved_search) by name

mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:

| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+(?[^<]+)?" | stats values(saved_search) by name

mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.

alacercogitatus
SplunkTrust
SplunkTrust

It is not done native-ly. You may want to check out this app: http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects. I don't know if it has what you are looking for, but might come in handy. A bash script would also work.

lguinn2
Legend

Yes, this is exactly the problem that I wrote X-Ray Splunk to solve!

If the app has problems, please email me, as it is pretty new and I need more feedback!

0 Karma

SarahBOA
Path Finder

This app looks as though it would also get me what I need.

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...