I would like to get a table which has a column containing my views and then another column which contains the saved/in-line searches that are used in each view. I would like to be able to do the reverse as well; get a list of saved searches and see what views they are used in. I can get a list of the saved searches using the REST API, is there anyway to get the views? and if so, can I get the xml from the views? Is this something that I will need to write a bash script in order to do?
Thanks,
Sarah
Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:
| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+
mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.
Well if you have the Sideview Utils app, it contains a custom search command called "splunkentity", and here's a search that uses that command as well as the rex command to extract the savedsearch names from all the views:
| splunkentity app="YOUR_APP_NAME_HERE" data/ui/views | table name eai:data | rename eai:data as xml | search xml="SavedSearch" | rex max_match=50 field="xml" "(?s)<module name=\"(Hidden)?SavedSearch\"([^>]+)?>[^<]+
mileage may vary, and possibly Splunk now ships a search command that does the same thing. At any rate with some search command that gets the view XML, and a regex to parse out the saved search names, and a stats command to group it all, it should be quite possible, at least for admin users.
It is not done native-ly. You may want to check out this app: http://splunk-base.splunk.com/apps/64088/x-ray-splunk-knowledge-objects
. I don't know if it has what you are looking for, but might come in handy. A bash script would also work.
Yes, this is exactly the problem that I wrote X-Ray Splunk to solve!
If the app has problems, please email me, as it is pretty new and I need more feedback!
This app looks as though it would also get me what I need.