Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to get a list of all saved searches rescently updated

suryaaruna
New Member
‎08-02-2017 06:39 AM

Hello Team,

We are working on collecting the data of all saved searches in splunk and the date when they were updated. We need the most recently updated saved searches also.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2017 08:06 AM

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2017 08:06 AM

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

suryaaruna
New Member
‎09-27-2017 06:53 AM

Thanks Richgalloway. It is working for me. but can i get the same for all the apps at once?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2017 09:19 AM

You can use | rest /services/apps/local | fields title to get a list of apps on your system and use a script to invoke | rest servicesNS/nobody/<title>/saved/searches | table title updated for each app on the list.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-29-2017 07:14 AM

Try this | rest servicesNS/-/-/saved/searches | table title updated

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-01-2017 11:49 AM

This is good. I wasn't aware of the '-' as a wildcard. I would update the table command to 'table eai:acl.app title updated` to get the app name for each search

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...