Splunk Search

List of saved/in-line searches within a view

SarahBOA
Path Finder

I would like to get a table which has a column containing my views and then another column which contains the saved/in-line searches that are used in each view. I would like to be able to do the reverse as well; get a list of saved searches and see what views they are used in. I can get a list of the saved searches using the REST API, is there anyway to get the views? and if so, can I get the xml from the views? Is this something that I will need to write a bash script in order to do?

Thanks,
Sarah

1 Solution

sideview
SplunkTrust
SplunkTrust

Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:

| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+(?[^<]+)?" | stats values(saved_search) by name

mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:

| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+(?[^<]+)?" | stats values(saved_search) by name

mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.

alacercogitatus
SplunkTrust
SplunkTrust

It is not done native-ly. You may want to check out this app: http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects. I don't know if it has what you are looking for, but might come in handy. A bash script would also work.

lguinn2
Legend

Yes, this is exactly the problem that I wrote X-Ray Splunk to solve!

If the app has problems, please email me, as it is pretty new and I need more feedback!

0 Karma

SarahBOA
Path Finder

This app looks as though it would also get me what I need.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...