Hi Team,
Is there any way to use REST syntax and retrieve the following.
1. Rest Query to retrieve all unique searches performed on a given index and count no of times it was searched
@splunkfriend123 there is no way to find the unique searches using REST command.
you could run the below search on audit index to get the details of adhoc, api and any scheduled searches.
index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1
for _internal index for example:
| rest /services/saved/searches splunk_server=local count=0
| search cron_schedule!="* *" AND search="*index=_internal*"
when there is no cron schedule for a saved search, it cant execute .
There is no REST command that does all that. You can use REST to search the audit log for all searches, but it won't be by index.
It's possible to parse the search strings to extract index names, but that's not perfect since index names may not be specified in the query itself. They may be in a macro or an eventtype or in the user's default indexes.
It's a question that pops up quite frequently (auditing index accesses). Might be worth creating an idea on https://ideas.splunk.com/ or supporting existing one if someone already made one.