Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I use rex to extract the time stamp of a used search?

ECovell
Path Finder
‎08-29-2016 12:22 PM

I am attempting to create a search that would pull information about search usage. I have an index generated off of this:

| rest /servicesNS/-/-/saved/searches splunk_server=local
| rename "eai:acl.app" AS app
| rename "eai:acl.owner" AS owner
| table title,app,owner

I have searched and cannot find a way to add a time stamp for searches.

Thanks for your help,
Ernie

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-02-2016 08:46 AM

you can write a particulear user-name 

index=_audit action=search user=user-name | stats latest(_time) as LastRun by user | convert ctime(LastRun)

or, for all usernames (without splunk-system-user and splunk_alert_scheduler, the saved search user accounts)

index=_audit action=search user!=splunk* | stats latest(_time) as LastRun by user | convert ctime(LastRun)
0 Karma
Reply

ECovell
Path Finder
‎09-20-2016 12:14 PM

Are searches time stamped when they are initiated? If they are where is that time stamp saved, maybe I can write up a script to draw it out?

Thanks,
Ernie

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-29-2016 01:13 PM

Hi Ernie,
have you taken a look at this app yet? It may contain all the things you are trying to build, and then some.

I don't believe the REST endpoint will capture the last run time of each search, if that is what you are after. For getting that, you will have to search index=_audit similar to this (will need tweaking): index=_audit action=search savedsearch_name="*" | stats latest(_time) as LastRun by savedsearch_name | convert ctime(LastRun)

I would definitely take a look at the app mentioned above, if only to give you an idea of where to find the relevant data for your use case.

Reply

ECovell
Path Finder
‎09-02-2016 07:50 AM

This search works really well, but all I get is the scheduled searches that populate. I run a lot of different searches manually and they do not show up in this report. Any other suggestions?

Thanks,
Ernie

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎09-02-2016 09:21 AM

Sorry, your initial question suggested you are only interested in finding saved search information. You can remove savedsearch_name="*" from the search string and find a different field to group by to include all search activity, as @inventsekar points out below.

0 Karma
Reply

ECovell
Path Finder
‎09-12-2016 06:48 AM

I have tried all different variations of searches, but I still get only the saved searches and not all the searches run. Is there a file that I can rip some of that info from? Is there some other search format I can try other than rest or index=audit source=audittrail?

Thanks,
Ernie

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...