0

Is there any Rest query in Splunk to fetch the unsaved / adhoc searches performed on Splunk.

To give you a background,

team is trying to understand the load patterns and we are able to figure out how to find out saved searches performed with below links .

How ever we need some help in getting the unsaved / adhoc searches performed by all users on Splunk

| rest /servicesNS/-/-/saved/searches splunk_server=local

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-apps-using/m-p/162615

https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-without/m-p/508688

Above query fetches saved searches, but we need help in fetching unsaved / adhoc searches

yoursplunkfriend
  • 1
  • 1
    Perhaps you can achieve this using the data from index=_internal, you could create a report on all searches run and also there is data about Search Load. you should be able tp see a data model for the relevant events here: In Settings -->Data Models -->Splunk's Internal Server Logs-SAMPLE. Absent of a answer I hope this helps – Daniel Price Jun 29 '22 at 11:48

1 Answers1

0

There is no REST endpoint that returns information about ad-hoc searches. You can, however, use REST to submit a job that searches the audit logs for that information.

Another option is to create your own REST endpoint. See https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/ for more information about that.

RichG
  • 9,063
  • 2
  • 18
  • 29