Splunk Dev

Listing all saved searches using Python SDK

pietervi
Path Finder

Hi,

When doing changes to our splunk infrastructure I want to temporarily disabled all summary indexing searches from certain apps.
I'm trying to do that using the python sdk.

To get started I'm trying to fetch a list of all searches that exist in my Splunk setup.

But somehow when logging in using the sdk I only have access to the searches that the user owns.
See:

service=client.connect(host="localhost",port=8089,username="admin",password="xxx",autologin=True)
for savedsearch in service.saved_searches:
print savedsearch.name

This results in a total of about 6 searches being printed:

Errors in the last 24 hours
Errors in the last hour
Indexing workload
Messages by minute last 3 hours
Splunk errors last 24 hours
Top five sourcetypes

But this list should contain all searches that exist in Splunk.
I assume that it has something to do with the way I'm connecting but I'm not sure.

Thanks in advance,

Pieter

0 Karma
1 Solution

Neeraj_Luthra
Splunk Employee
Splunk Employee

The saved searches you are seeing are scoped to the default app for the user (admin in your case). You can list searches from other apps by specifying the "app" parameter in the connect method. The call would look something like this:

service=client.connect(host="localhost",port=8089,username="admin",password="xxx",app="xxx")

View solution in original post

Neeraj_Luthra
Splunk Employee
Splunk Employee

The saved searches you are seeing are scoped to the default app for the user (admin in your case). You can list searches from other apps by specifying the "app" parameter in the connect method. The call would look something like this:

service=client.connect(host="localhost",port=8089,username="admin",password="xxx",app="xxx")

Neeraj_Luthra
Splunk Employee
Splunk Employee

In the connect method, you can pass app="-" and it will list all saved searches that your user has access to across all apps. Hope this helps.

pietervi
Path Finder

That's what I was thinking as well.
But I was hoping that there was an other way to get all the searches without having to make a connection for every app.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...