Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- How to get a list of Schedules searches , reports ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get a list of Schedules searches , reports , alerts , dashboards that use DBX query from my search head?
Harishma
Communicator
03-17-2017
01:54 AM
Im trying to get a list of all the existing Schedules searches , reports , alerts , dashboards that use dbquery in my SH along with the owner and its app details. Is this possible ? Could someone kindly help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-30-2017
02:43 PM
You can use following searches to get that info.
Saved searches (reports/alerts)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
Dashboards
| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"dbquery") OR match(code,"dbinfo") OR match(code,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
From each search, you can remove the join subsearch if you don't really need to fullname /email etc, will perform better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akocak
Contributor
10-30-2017
02:50 PM
I saw similar in other answers
| rest splunk_server=local /servicesNS/-/-/data/ui/views
as well as
rest /services/saved/searches
I am having issues to return results from these and I am an admin. Do you know what could be my issue?
Are there anyway to combine audittrail logs with some other internal log to get the same results ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-30-2017
02:55 PM
Hope you're running this exact search: (need that first pipe)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akocak
Contributor
10-30-2017
01:39 PM
did you find anything for this ? I have a similar requirement.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
