- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to get a list of Schedules searches , reports ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
How to get a list of Schedules searches , reports , alerts , dashboards that use DBX query from my search head?
Im trying to get a list of all the existing Schedules searches , reports , alerts , dashboards that use dbquery in my SH along with the owner and its app details. Is this possible ? Could someone kindly help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
You can use following searches to get that info.
Saved searches (reports/alerts)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
Dashboards
| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"dbquery") OR match(code,"dbinfo") OR match(code,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
From each search, you can remove the join subsearch if you don't really need to fullname /email etc, will perform better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I saw similar in other answers
| rest splunk_server=local /servicesNS/-/-/data/ui/views
as well as
rest /services/saved/searches
I am having issues to return results from these and I am an admin. Do you know what could be my issue?
Are there anyway to combine audittrail logs with some other internal log to get the same results ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hope you're running this exact search: (need that first pipe)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
did you find anything for this ? I have a similar requirement.
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
