Hello Team,
We are working on collecting the data of all saved searches in splunk and the date when they were updated. We need the most recently updated saved searches also.
Try the rest
command. For example,
| rest servicesNS/nobody/search/saved/searches | table title updated
Replace 'search' in the query with the name of your app.
Try the rest
command. For example,
| rest servicesNS/nobody/search/saved/searches | table title updated
Replace 'search' in the query with the name of your app.
Thanks Richgalloway. It is working for me. but can i get the same for all the apps at once?
You can use | rest /services/apps/local | fields title
to get a list of apps on your system and use a script to invoke | rest servicesNS/nobody/<title>/saved/searches | table title updated
for each app on the list.
Try this | rest servicesNS/-/-/saved/searches | table title updated
This is good. I wasn't aware of the '-' as a wildcard. I would update the table
command to 'table eai:acl.app title updated` to get the app name for each search