Reporting

Automatically create custom saved searches upon login

pgsery
Explorer

I want to create custom saved searches for users based on their search filter. I think I need to to use scripted login (i.e., pamScripted.py, dumbScripted.py, etc.) to do so. For instance, if ...Scripted.py creates a user's search filter, then create a search for each item in the filter. So a user whose search filter is host=x, host=y, host=z would get saved searches [x]..., [y]..., [z]...

I've modified dumbScripted.py to insert saved searches into my savedsearches.conf, but this requires restarting splunk to activate the searches. Alternatively, it might be reasonable to have the script launch "splunk add saved-search ..." but I haven't been able to make it work on a per-user basis. Any suggestions?

Tags (1)
0 Karma

pgsery
Explorer

I solved the problem by creating a drop-down menu allowing the user to choose a host (and time-range). The selected host is plugged into a pipeline that feeds an arbitrary filter.

Hosts: myhosts | metadata type=hosts True main host host myhosts stringreplace True host= $target$ $host$ | head sourcetype_setting stringreplace True sourcetype= $target$ 24h False Submit flashtimeline

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I guess I'd be interested in understanding why you'd want separate saved searches for each user, rather than have the filters do the work. The most effective way to do what you narrowly want is to create the search via a REST API call, but I'm not sure that overall this is necessarily the right approach in the first place.

0 Karma

pgsery
Explorer

Could you give an example?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

If you already have this logic coded into the search filter, it should be unnecessary to create different saved searches, since the search filter applies to all searches run by that user.

0 Karma

pgsery
Explorer

We allow user A to see logs from machines 1, 3 & 9, and user B machines 2, 3, & 4. We want user A to monitor errors on 1,3 & 9; likewise B monitors 2,3 & 4.

We could teach A and B how to perform the search for each machine and instruct them save the search to simplify their job. However, we have hundreds of users and would prefer to automate the process one way or the other. Creating savedsearches at login seems like an obvious way, but perhaps there's another. I'm also looking at adding the above search to our app and linking the specific machines to the search within the app.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

i suppose my question is why you'd need to create different ones for each user.

0 Karma

pgsery
Explorer

I want to provide our user with a simple way to perform their required log reviews. If they all need to look for certain events, they'll end up creating the same saved searches to perform the job and email the results. I'd rather create the common searches automatically and save everyone the manual and repetitious effort.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...