Splunk Search

How can I extract the exact search string for modified saved searches from events in the _internal index?

bainskaransingh
New Member

Hi All,

I want to list all the saved searches which are modified (action=edit) from the logs, but the exact search string is not visible in the logs. Can some one guide me on how to approach this one?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I believe the search string is not logged on edit, consider using version control.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

It might not fully answer your question but I think it's a good start if you take a look at my answers here:

https://answers.splunk.com/answers/363829/how-can-filter-top-search-in-a-month-with-timefram.html

It was a very long discussion on how to list saved searches and who has been and hasn't been using them in the last two months.
It contains the search string you are looking for.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...