Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need splunk query to get alerts/saved searches/dashboards created by each index

srinivasup
Explorer
‎06-23-2017 06:15 AM

Can anyone help me to get all saved searches/alerts configured using particular index .

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2017 06:52 AM

This will do it BUT there is a problem:

| rest /servicesNS/-/-/saved/searches 
| table search title
| rex max_match=0 field=search "(?<=^|\s|\[)index\s*=\s*(?<index>(?:\"[^\"]+\")|\S+)" 
| rex field=index mode=sed "s/\"//g"
| fillnull value="N/A" index
| stats values(title) BY index

The problem is that it does not handle any cases where index is not specified literally inside the search string. These cases include: |savedsearch, |loadjob, eventtypes, macros tags, the use of Indexes searched by default (which may vary depending on user and role) and probably other things that I am missing. Also note that values (and limit) are limited to a maximum of 1000 values.

0 Karma
Reply

srinivasup
Explorer
‎06-23-2017 07:31 AM

Its not giving expected results.

Would like to search for one index and for this index would like to know alerts, saved searches configured by using this index.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2017 09:34 AM

You are right; I only did half the work; see the updated answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...