Splunk Search

Need to get a list of all saved searches rescently updated

suryaaruna
New Member

Hello Team,

We are working on collecting the data of all saved searches in splunk and the date when they were updated. We need the most recently updated saved searches also.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

suryaaruna
New Member

Thanks Richgalloway. It is working for me. but can i get the same for all the apps at once?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use | rest /services/apps/local | fields title to get a list of apps on your system and use a script to invoke | rest servicesNS/nobody/<title>/saved/searches | table title updated for each app on the list.

---
If this reply helps you, Karma would be appreciated.
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Try this | rest servicesNS/-/-/saved/searches | table title updated

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is good. I wasn't aware of the '-' as a wildcard. I would update the table command to 'table eai:acl.app title updated` to get the app name for each search

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...