Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Saved Search Creation Time

MJ_27
New Member
‎03-18-2026 10:50 PM

I'm trying to figure out when some of my correlation searches was created ?
i tried it with rest, but only getting updated timestamp with this.

| rest /servicesNS/-/-/saved/searches

 

Any other way around to find this ?
tried to search in audit as well. nothing helpful yet. Open to suggestions or workaround on this.

Please share

Labels (2)
Labels
0 Karma
Reply

kknairr
Communicator
‎03-23-2026 04:05 AM

@MJ_27 You can reliably get the last updated time, but not the original creation time. If you know roughly when they were created, you might be able to confirm with audit or config tracker data, but otherwise there isn’t a native field that records creation. This is a known limitation, and many admins rely on version control systems or change‑management processes to track when correlation searches were first introduced. Hope it clarifies.

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-19-2026 04:44 AM

Hi @MJ_27 

Do you know how long ago they might have been created roughly? Depending on your environment (Cloud vs OnPrem) and retention you might find some info in _internal/_audit or _configtracker 

Other than this there isnt a creation time recorded unfortunately. You can get the updated time ('updated' field from your existing REST endpoint search) but this is the last time it was modified not creation.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-19-2026 01:45 AM

Hi @MJ_27 ,

I don't think that's possible this!

It's only possible to have versioning (so also the creation dates) of the Detections (the old Correlation Searches) using ES from the 8.4 verion.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...