Im trying to get a list of all the existing Schedules searches , reports , alerts , dashboards that use dbquery in my SH along with the owner and its app details. Is this possible ? Could someone kindly help?
You can use following searches to get that info.
Saved searches (reports/alerts)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
Dashboards
| rest splunk_server=local /servicesNS/-/-/data/ui/views | table title eai:acl.app eai:data eai:acl.owner| rename eai:data as code eai:acl.owner as owner | where match(code,"dbquery") OR match(code,"dbinfo") OR match(code,"dboutput") | join type=left owner [| rest splunk_server=local /services/authentication/users | table title email realname | rename title as owner]
From each search, you can remove the join subsearch if you don't really need to fullname /email etc, will perform better.
I saw similar in other answers
| rest splunk_server=local /servicesNS/-/-/data/ui/views
as well as
rest /services/saved/searches
I am having issues to return results from these and I am an admin. Do you know what could be my issue?
Are there anyway to combine audittrail logs with some other internal log to get the same results ?
Hope you're running this exact search: (need that first pipe)
| rest splunk_server=local /servicesNS/-/-/saved/searches | table title eai:acl.app search eai:acl.owner | rename eai:acl.owner as owner | where match(search,"dbquery") OR match(search,"dbinfo") OR match(search,"dboutput")
did you find anything for this ? I have a similar requirement.