Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Rest Query to find out query along with no of execution times

splunkfriend123
Engager
‎06-24-2022 07:28 AM

Hi Team,

 

Is there any way to use REST syntax and retrieve the following.

1. Rest Query to retrieve all unique searches performed on a given index and count no of times it was searched

 

 

Labels (2)
Tags (2)
0 Karma
Reply

Roy_9
Motivator
‎06-25-2022 01:06 AM

@splunkfriend123 there is no way to find the unique searches using REST command.

you could run the below search on audit index to get the details of adhoc, api and any scheduled searches.

index=_audit action="search" search="*" | eval ad-hoc=if(NOT user="splunk-system-user", "Yes", "No") | eval var1=if(match(search,"(?:index=\*|index=\s\*|index\s=\s\*|index=\"\*\"|index =\"\*\"|index = \"\*\")"), "TUNE-ME", "OK") | table user search ad-hoc var1 

0 Karma
Reply

marysan
Communicator
‎06-24-2022 10:39 PM

for _internal index for example:

| rest /services/saved/searches splunk_server=local count=0
| search cron_schedule!="* *" AND search="*index=_internal*"

when there is no cron schedule for a saved search, it cant execute .

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 07:43 AM

There is no REST command that does all that.  You can use REST to search the audit log for all searches, but it won't be by index.

It's possible to parse the search strings to extract index names, but that's not perfect since index names may not be specified in the query itself.  They may be in a macro or an eventtype or in the user's default indexes.

---
If this reply helps you, Karma would be appreciated.
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-25-2022 01:50 AM

It's a question that pops up quite frequently (auditing index accesses). Might be worth creating an idea on https://ideas.splunk.com/ or supporting existing one if someone already made one.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top