Reporting

Any way to get the name of the scheduled search you are in?

DalJeanis
SplunkTrust
SplunkTrust

I have an odd use case, where I'd like to be able to add a field naming the saved search I happen to be executing.

I know that addinfo gives the SID, is there any way to get the search name?

Tags (2)

micahkemp
Champion

I would add an | eval insavedsearch="true" to your scheduled search. You control the search that's executed when the scheduled time comes, so why not make use of that control?

If you have a need for the same search, minus that eval to be available in an ad-hoc-able savedsearch, consider using a macro for the common portions, and add the eval just to the scheduled version.

0 Karma

sbbadri
Motivator

try this

index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | table savedsearch_name _time

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

How would you use that to get the name of the same search that is currently being run?

something like this...?

 | appendpipe 
        [ search index="_internal" sourcetype="scheduler" user=admin sid=scheduler* 
        | table savedsearch_name _time| where _time = now() ]
0 Karma

sbbadri
Motivator

index="_internal" sourcetype="scheduler" user=admin sid=scheduler* | append [| rest /services/saved/searches/savedsearch_name | search is_scheduled=1] | | table savedsearch_name,title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

or

Below rest command will help you to get all secheduled searches, to list all the searches run the second search

| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table title, cron_schedule next_scheduled_time eai:acl.owner actions eai:acl.app action.email action.email.to dispatch.earliest_time dispatch.latest_time search *

to know all the users and their scheduled searches.
| rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | stats values(eai:acl.app) as application c by title, eai:acl.owner | fields - c

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yeah, I just want, within the search that is running, to know what its own name is, and that's a long way around the block to get there, if it gets there at all.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@DalJeanis 

Did you ever find a solution for this?

It must be 'knowable' somehow, as if summary indexing is enabled, then it will have the search_name and source set to the name of the search when collected.

 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Below is sample saved search. I could see saved search name in the field title.

| makeresults 
| eval test="testing,testing2" 
| makemv test delim="," 
| mvexpand test 
| addinfo 
| join type=left 
    [| rest /services/search/jobs 
    | table info_sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ] 
| join type=left search 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | table title search]

 you must add below search to your saved search to give you title field.

| addinfo 
| join type=left 
    [| rest /services/search/jobs 
    | table info_sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ] 
| join type=left search 
    [| rest splunk_server=local count=0 /services/saved/searches 
    | table title search]
————————————
If this helps, give a like below.

bowesmana
SplunkTrust
SplunkTrust

Thanks @thambisetty 

A couple of minor mistakes in the response about info_sid, which might be worth fixing up, i.e.

| join type=left info_sid
    [| rest /services/search/jobs 
    | table sid title eai:acl.app eai:acl.owner 
    | rename sid as info_sid, title as search ]

 It does work, so thanks for that.

I couldn't end up using it, as I've got a slightly odd use case, where I have a saved search calling a saved search passing replaceable params to the second one and this code in the second one, then doesn't work, so although it's probably fixable with the right join data, I ended up used a macro with the name components, which follow a strict naming convention, so had the name in some form anyway.

 

0 Karma

micahkemp
Champion

To get the info for the serach that's running, you may try using sid instead of time. | addinfo will give you the sid in the field info_sid.

Edit: it looks like your original question already states this. Reading comprehension fail. 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...