- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: search all saved searches .conf files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quick question, I want to search all saved searches .conf files for all email actions for a specific e-mail address while also showing the search name, how would i do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows command line:
findstr /s /i "<search_string>" savedsearches.conf
Unix/Linux command line:
find . -name savedsearches.conf -exec grep -i "<search_string>" {} \;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (to list all)
| rest /servicesNS/-/-/saved/searches splunk_server=local | search action.email=1 | table title eai:acl.app action.email.to
For searches for specific email
| rest /servicesNS/-/-/saved/searches splunk_server=local | search action.email=1 action.email.to=*emailtosearch@example.com* | table title eai:acl.app action.email.to
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows command line:
findstr /s /i "<search_string>" savedsearches.conf
Unix/Linux command line:
find . -name savedsearches.conf -exec grep -i "<search_string>" {} \;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the GUI. Searches and Reports will show you matches for email addresses within scheduled searches.
Or on the CLI, you could use btool and some grep'ing:
splunk btool savedsearches list | egrep -r "^\[|youremailaddress@email.com"
This will show you each saved search stanza opening, followed by a line with the matching email if it's there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want it to show the search/alert name and who it e-mails. i am getting verbose results with this one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right. It shows all scheduled search names, but only those with emails will have a second line:
[somesearch]
action.email.to = youremail@email.com
[another_search]
[yetanother]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the file system something like - find . -name "searches.conf" | xargs grep -i <e-mail address>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
| rest /servicesNS/-/-/saved/searches/ | where is_scheduled=1 AND 'action.email'=1 | table eai:acl.app title
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
seems like it is not showing all the alerts in the saved searches .conf file. and it is not showing the e-mail actions.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
