Solved: Need to get a list of all saved searches rescently...

suryaaruna · ‎08-02-2017

Hello Team,

We are working on collecting the data of all saved searches in splunk and the date when they were updated. We need the most recently updated saved searches also.

richgalloway · ‎08-02-2017

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-02-2017

Try the rest command. For example,

| rest servicesNS/nobody/search/saved/searches  | table title updated

Replace 'search' in the query with the name of your app.

---
If this reply helps you, Karma would be appreciated.

suryaaruna · ‎09-27-2017

Thanks Richgalloway. It is working for me. but can i get the same for all the apps at once?

richgalloway · ‎09-29-2017

You can use | rest /services/apps/local | fields title to get a list of apps on your system and use a script to invoke | rest servicesNS/nobody/<title>/saved/searches | table title updated for each app on the list.

---
If this reply helps you, Karma would be appreciated.

harsmarvania57 · ‎09-29-2017

Try this | rest servicesNS/-/-/saved/searches | table title updated

richgalloway · ‎10-01-2017

This is good. I wasn't aware of the '-' as a wildcard. I would update the table command to 'table eai:acl.app title updated` to get the app name for each search

---
If this reply helps you, Karma would be appreciated.

Need to get a list of all saved searches rescently updated

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life