Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rest Query to find out query along with no of execution times

splunkfriend123
Engager
‎06-24-2022 07:28 AM

Hi Team,

 

Is there any way to use REST syntax and retrieve the following.

1. Rest Query to retrieve all unique searches performed on a given index and count no of times it was searched

 

 

Labels (2)
Tags (2)
0 Karma
Reply

Roy_9
Motivator
‎06-25-2022 01:06 AM

@splunkfriend123 there is no way to find the unique searches using REST command.

you could run the below search on audit index to get the details of adhoc, api and any scheduled searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1 

0 Karma
Reply

marysan
Communicator
‎06-24-2022 10:39 PM

for _internal index for example:

| rest /services/saved/searches splunk_server=local count=0
| search cron_schedule!="* *" AND search="*index=_internal*"

when there is no cron schedule for a saved search, it cant execute .

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 07:43 AM

There is no REST command that does all that.  You can use REST to search the audit log for all searches, but it won't be by index.

It's possible to parse the search strings to extract index names, but that's not perfect since index names may not be specified in the query itself.  They may be in a macro or an eventtype or in the user's default indexes.

---
If this reply helps you, Karma would be appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-25-2022 01:50 AM

It's a question that pops up quite frequently (auditing index accesses). Might be worth creating an idea on https://ideas.splunk.com/ or supporting existing one if someone already made one.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...