I would like to get a table which has a column containing my views and then another column which contains the saved/in-line searches that are used in each view. I would like to be able to do the reverse as well; get a list of saved searches and see what views they are used in. I can get a list of the saved searches using the REST API, is there anyway to get the views? and if so, can I get the xml from the views? Is this something that I will need to write a bash script in order to do?
Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:
| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+
mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.
Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:
| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+
mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.
