Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

History of a saved search

peter_gianusso
Communicator
‎11-15-2012 01:34 PM

Is it possible to get the history of when a saved search was executed? This will allow me to see if the cron schedule is working correctly.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:09 PM

Any chance you are on Splunk 5?

| history

Returns a history of searches formatted as an events list or as a table.

For 4.3 please try this:

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

View solution in original post

Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-16-2012 08:14 AM

a simple approach would be to look at scheduler.log

0 Karma
Reply
Solved! Jump to solution
Solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:09 PM

Any chance you are on Splunk 5?

| history

Returns a history of searches formatted as an events list or as a table.

For 4.3 please try this:

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:49 PM

can you please try the one I just added to the answer? I think maybe in comments the code doesn't format properly.

0 Karma
Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-15-2012 02:31 PM

Error: Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the right hand side

0 Karma
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎11-15-2012 02:17 PM

Here is a search I stole from SoS.

index=_audit ( splunk_server=local) action=search (id=* OR search_id=*)
| eval search_id=if(isnull(search_id), id, search_id)
| replace '*' with * in search_id
| search search_id!=rt_* search_id!=searchparsetmp*
| rex "search='(?<search>.*?)', autojoin"
| rex "savedsearch_name=\"(?<savedsearch_name>.*?)\"\]\["

Reply
Solved! Jump to solution

peter_gianusso
Communicator
‎11-15-2012 02:11 PM

No I am on the latest 4.x version. That shows the contents of searches.log which does not contain the name of the saved search.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...