Splunk Search

one liner to get list of scheduled searches associated with users

Communicator

How do I get a list of scheduled searches associated with user info.

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

maybe this will do:

 index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name

Update:
I think there is either something you are missing, or perhaps you are not running any of the scheduled searches on the search head. I changed the search slightly to include the host as well as the savedsearch name and user. here is the search i used and my output:

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host  

> user     savedsearch_name       host      count
> 1 admin    internal               bigmac    2
> 2 admin    testingsss             lilmac    4
> 3 nobody  Indexing workload      bigmac    245
> 4 nobody  Indexing workload      lilmac    1496
> 5 nobody  Top five sourcetypes   bigmac    245 
> 6 nobody  Topfive sourcetypes    lilmac    4501

note: Indexingworkload and TOP5Sourcetypes are the default scheduled savedsearches that come shipped with splunk. i just scheduled some more savedsearches, one on the indexer, one on the search head, and they both ran, and as you see, i see them both on my search results. lilmac=search head, bigmac=indexer.

Disclaimer: bigmac has got nothing to do with the "burger" 😉

View solution in original post

Splunk Employee
Splunk Employee

maybe this will do:

 index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name

Update:
I think there is either something you are missing, or perhaps you are not running any of the scheduled searches on the search head. I changed the search slightly to include the host as well as the savedsearch name and user. here is the search i used and my output:

index="_internal" source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host  

> user     savedsearch_name       host      count
> 1 admin    internal               bigmac    2
> 2 admin    testingsss             lilmac    4
> 3 nobody  Indexing workload      bigmac    245
> 4 nobody  Indexing workload      lilmac    1496
> 5 nobody  Top five sourcetypes   bigmac    245 
> 6 nobody  Topfive sourcetypes    lilmac    4501

note: Indexingworkload and TOP5Sourcetypes are the default scheduled savedsearches that come shipped with splunk. i just scheduled some more savedsearches, one on the indexer, one on the search head, and they both ran, and as you see, i see them both on my search results. lilmac=search head, bigmac=indexer.

Disclaimer: bigmac has got nothing to do with the "burger" 😉

View solution in original post

Splunk Employee
Splunk Employee

I do not think that is an issue, see updated answer above

0 Karma

Communicator

When I run this query on the search head it gives me all the users from the Distributed servers but not the savedsearches on the search head.

0 Karma

Communicator

Thanks that was great.

0 Karma