Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to get a list of all saved searches rescently updated

suryaaruna
New Member
‎08-02-2017 06:39 AM

Hello Team,

We are working on collecting the data of all saved searches in splunk and the date when they were updated. We need the most recently updated saved searches also.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2017 08:06 AM

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2017 08:06 AM

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

suryaaruna
New Member
‎09-27-2017 06:53 AM

Thanks Richgalloway. It is working for me. but can i get the same for all the apps at once?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2017 09:19 AM

You can use | rest /services/apps/local | fields title to get a list of apps on your system and use a script to invoke | rest servicesNS/nobody/<title>/saved/searches | table title updated for each app on the list.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-29-2017 07:14 AM

Try this | rest servicesNS/-/-/saved/searches | table title updated

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-01-2017 11:49 AM

This is good. I wasn't aware of the '-' as a wildcard. I would update the table command to 'table eai:acl.app title updated` to get the app name for each search

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...