Splunk Search
Highlighted

List of saved/in-line searches within a view

Path Finder

I would like to get a table which has a column containing my views and then another column which contains the saved/in-line searches that are used in each view. I would like to be able to do the reverse as well; get a list of saved searches and see what views they are used in. I can get a list of the saved searches using the REST API, is there anyway to get the views? and if so, can I get the xml from the views? Is this something that I will need to write a bash script in order to do?

Thanks,
Sarah

Highlighted

Re: List of saved/in-line searches within a view

SplunkTrust
SplunkTrust

It is not done native-ly. You may want to check out this app: http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects. I don't know if it has what you are looking for, but might come in handy. A bash script would also work.

Highlighted

Re: List of saved/in-line searches within a view

Path Finder

This app looks as though it would also get me what I need.

0 Karma
Highlighted

Re: List of saved/in-line searches within a view

Legend

Yes, this is exactly the problem that I wrote X-Ray Splunk to solve!

If the app has problems, please email me, as it is pretty new and I need more feedback!

0 Karma
Highlighted

Re: List of saved/in-line searches within a view

SplunkTrust
SplunkTrust

Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:

| splunkentity app="YOURAPPNAMEHERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex maxmatch=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+(?[^<]+)?" | stats values(saved_search) by name

mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.

View solution in original post