Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

one liner to get list of scheduled searches associated with users

sanju005ind
Communicator
‎12-08-2010 05:41 PM

How do I get a list of scheduled searches associated with user info.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎12-08-2010 05:48 PM

maybe this will do: 

 index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name

Update:
I think there is either something you are missing, or perhaps you are not running any of the scheduled searches on the search head. I changed the search slightly to include the host as well as the savedsearch name and user. here is the search i used and my output:

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host  

> user     savedsearch_name       host      count
> 1 admin    internal               bigmac    2
> 2 admin    testingsss             lilmac    4
> 3 nobody  Indexing workload      bigmac    245
> 4 nobody  Indexing workload      lilmac    1496
> 5 nobody  Top five sourcetypes   bigmac    245 
> 6 nobody  Topfive sourcetypes    lilmac    4501

note: Indexingworkload and TOP5Sourcetypes are the default scheduled savedsearches that come shipped with splunk. i just scheduled some more savedsearches, one on the indexer, one on the search head, and they both ran, and as you see, i see them both on my search results. lilmac=search head, bigmac=indexer.

Disclaimer: bigmac has got nothing to do with the "burger" 😉

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎12-08-2010 05:48 PM

maybe this will do: 

 index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name

Update:
I think there is either something you are missing, or perhaps you are not running any of the scheduled searches on the search head. I changed the search slightly to include the host as well as the savedsearch name and user. here is the search i used and my output:

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host  

> user     savedsearch_name       host      count
> 1 admin    internal               bigmac    2
> 2 admin    testingsss             lilmac    4
> 3 nobody  Indexing workload      bigmac    245
> 4 nobody  Indexing workload      lilmac    1496
> 5 nobody  Top five sourcetypes   bigmac    245 
> 6 nobody  Topfive sourcetypes    lilmac    4501

note: Indexingworkload and TOP5Sourcetypes are the default scheduled savedsearches that come shipped with splunk. i just scheduled some more savedsearches, one on the indexer, one on the search head, and they both ran, and as you see, i see them both on my search results. lilmac=search head, bigmac=indexer.

Disclaimer: bigmac has got nothing to do with the "burger" 😉

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎12-10-2010 09:48 PM

I do not think that is an issue, see updated answer above

0 Karma
Reply
Solved! Jump to solution

sanju005ind
Communicator
‎12-10-2010 09:02 AM

When I run this query on the search head it gives me all the users from the Distributed servers but not the savedsearches on the search head.

0 Karma
Reply
Solved! Jump to solution

sanju005ind
Communicator
‎12-08-2010 06:35 PM

Thanks that was great.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...