Reporting

How to list saved searches

gfriedmann
Communicator

Is it possible to search on saved search names?

I would like to be able to use splunk to query the data that is the names of my saved searches.

Tags (1)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

The names of configured saved searches are not indexed in Splunk by default. However, saved searches are stored in savedsearches.conf configuration files on the indexer. You can use Splunk's btool commmand to show you the names of saved searches and which apps they are configured in:

$ splunk cmd btool --debug savedsearches list | egrep "\["
unix       [10 Most Popular Executables Last Hour (UNIX - CPU)]
unix       [Addresses Connected To (UNIX - NET)]
search     [Admin - Splunkweb Recent Unhandled Exceptions]
search     [Admin - System Info]
unix       [Alert - syslog errors last hour]
unix       [Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [CPU Usage by Command (UNIX - CPU)]
unix       [CPU Usage by User (UNIX - CPU)]
SplunkforC [Cisco ASA Firewall - Actions Over Time - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied DEST IP - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied SRC IP - Summary]

A list of saved searches are also available in Splunk Manager.

View solution in original post

melonman
Motivator

I was looking for the same thing, and with latest Splunk, I could do the following.

| rest /servicesNS/*USERNAME*/*APPNAME*/saved/searches | table title qualifiedSearch

I may be wrong, but wanted to share for those who will look for this in the future...

e.g. "| rest /servicesNS/admin/search/saved/searches | table title qualifiedSearch"

then I get this:

             title                                                                                                qualifiedSearch
------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Errors in the last 24 hours     search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Errors in the last hour         search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Indexing workload               search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series
Messages by minute last 3 hours search index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
Splunk errors last 24 hours     search index=_internal " error " NOT debug source=*splunkd.log*
Top five sourcetypes            search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5

melonman
Motivator

For memos to myself ...

| rest /services/saved/searches | table author title qualifiedSearch

BobM
Builder

If you download the "Sanity Check My App!" app (written by carasso) from splunkbase, it includes a new search command entity. You can use it to tell splunk to use the rest endpoint to collect the saved searches.

| entity saved/searches namespace=myapp

_raw will contain the search name and the field "search" will have the search string.

troywollenslege
Path Finder

Cool application, I was trying to get the username of the person that created the saved search (the owner) anyone know how to do that?

0 Karma

BobM
Builder

I hadn't realized I was using a custom search command form an app I had installed. "Sanity Check My App!"
I have updated my reply above.

gkanapathy
Splunk Employee
Splunk Employee

I assume it's a wrapper for the SDK calls: http://dev.splunk.com/view/managing-objects-tutorial/SP-CAAADQ5

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Can you elaborate on the entity command you have used here?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

The names of configured saved searches are not indexed in Splunk by default. However, saved searches are stored in savedsearches.conf configuration files on the indexer. You can use Splunk's btool commmand to show you the names of saved searches and which apps they are configured in:

$ splunk cmd btool --debug savedsearches list | egrep "\["
unix       [10 Most Popular Executables Last Hour (UNIX - CPU)]
unix       [Addresses Connected To (UNIX - NET)]
search     [Admin - Splunkweb Recent Unhandled Exceptions]
search     [Admin - System Info]
unix       [Alert - syslog errors last hour]
unix       [Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [CPU Usage by Command (UNIX - CPU)]
unix       [CPU Usage by User (UNIX - CPU)]
SplunkforC [Cisco ASA Firewall - Actions Over Time - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied DEST IP - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied SRC IP - Summary]

A list of saved searches are also available in Splunk Manager.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...