How to list saved searches

Question

Is it possible to search on saved search names?

I would like to be able to use splunk to query the data that is the names of my saved searches.

Accepted Answer

The names of configured saved searches are not indexed in Splunk by default. However, saved searches are stored in savedsearches.conf configuration files on the indexer. You can use Splunk's btool commmand to show you the names of saved searches and which apps they are configured in:

$ splunk cmd btool --debug savedsearches list | egrep "\["
unix       [10 Most Popular Executables Last Hour (UNIX - CPU)]
unix       [Addresses Connected To (UNIX - NET)]
search     [Admin - Splunkweb Recent Unhandled Exceptions]
search     [Admin - System Info]
unix       [Alert - syslog errors last hour]
unix       [Avg Resident Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [Avg Virtual Memory by Process Last 3 Hours (UNIX - MEM)]
unix       [CPU Usage by Command (UNIX - CPU)]
unix       [CPU Usage by User (UNIX - CPU)]
SplunkforC [Cisco ASA Firewall - Actions Over Time - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied DEST IP - Summary]
SplunkforC [Cisco ASA Firewall - Top Denied SRC IP - Summary]

A list of saved searches are also available in Splunk Manager.

Answer 2

2

If you download the "Sanity Check My App!" app (written by carasso) from splunkbase, it includes a new search command entity. You can use it to tell splunk to use the rest endpoint to collect the saved searches.

| entity saved/searches namespace=myapp

_raw will contain the search name and the field "search" will have the search string.

link

answered 15 Aug '11, 09:25

BobM
2.3k●1●4●13
accept rate: 30%

edited 15 Aug '11, 10:22

Can you elaborate on the entity command you have used here?

(15 Aug '11, 10:07) gkanapathy ♦

I assume it's a wrapper for the SDK calls: http://dev.splunk.com/view/managing-objects-tutorial/SP-CAAADQ5

(15 Aug '11, 10:08) gkanapathy ♦

1

I hadn't realized I was using a custom search command form an app I had installed. "Sanity Check My App!" I have updated my reply above.

(15 Aug '11, 10:24) BobM

Cool application, I was trying to get the username of the person that created the saved search (the owner) anyone know how to do that?

(07 May '12, 11:22) troywollensl...

Answer 3

I was looking for the same thing, and with latest Splunk, I could do the following.

| rest /servicesNS/*USERNAME*/*APPNAME*/saved/searches | table title qualifiedSearch

I may be wrong, but wanted to share for those who will look for this in the future...

e.g. "| rest /servicesNS/admin/search/saved/searches | table title qualifiedSearch"

then I get this:

             title                                                                                                qualifiedSearch
------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Errors in the last 24 hours     search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Errors in the last hour         search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Indexing workload               search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series
Messages by minute last 3 hours search index=_internal source="*metrics.log" eps "group=per_source_thruput" NOT filetracker | eval events=eps*kb/kbps | timechart fixedrange=t span=1m limit=5 sum(events) by series
Splunk errors last 24 hours     search index=_internal " error " NOT debug source=*splunkd.log*
Top five sourcetypes            search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5

How to list saved searches

Follow this question

Splunk Resources

Related questions