Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Saved Search Creation Time

MJ_27
New Member
‎03-18-2026 10:50 PM

I'm trying to figure out when some of my correlation searches was created ?
i tried it with rest, but only getting updated timestamp with this.

| rest /servicesNS/-/-/saved/searches

 

Any other way around to find this ?
tried to search in audit as well. nothing helpful yet. Open to suggestions or workaround on this.

Please share

Labels (2)
Labels
0 Karma
Reply

kknairr
Contributor
‎03-23-2026 04:05 AM

@MJ_27 You can reliably get the last updated time, but not the original creation time. If you know roughly when they were created, you might be able to confirm with audit or config tracker data, but otherwise there isn’t a native field that records creation. This is a known limitation, and many admins rely on version control systems or change‑management processes to track when correlation searches were first introduced. Hope it clarifies.

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-19-2026 04:44 AM

Hi @MJ_27 

Do you know how long ago they might have been created roughly? Depending on your environment (Cloud vs OnPrem) and retention you might find some info in _internal/_audit or _configtracker 

Other than this there isnt a creation time recorded unfortunately. You can get the updated time ('updated' field from your existing REST endpoint search) but this is the last time it was modified not creation.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-19-2026 01:45 AM

Hi @MJ_27 ,

I don't think that's possible this!

It's only possible to have versioning (so also the creation dates) of the Detections (the old Correlation Searches) using ES from the 8.4 verion.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...