Skip to content

Commit

Permalink
Update savedsearches.conf
Browse files Browse the repository at this point in the history
  • Loading branch information
@gjanders
gjanders committed Apr 19, 2024
1 parent d2de1a1 commit 81d7cd6
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions default/savedsearches.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8631,3 +8631,33 @@ search = | rest "/servicesNS/-/-/storage/collections/config" count=0 timeout=900
| join type=outer collection [ | rest /servicesNS/-/-/data/transforms/lookups splunk_server=local search=type=kvstore f=collection f=eai:* timeout=900 count=0 ] \
| rename eai:acl.app AS app, eai:acl.sharing AS sharing, author AS owner, title AS lookup_definition_name \
| table collection, owner, app, sharing, owner, lookup_definition_name

[SearchHeadLevel - Search Queries summary loadjob and savedsearch usage in audit logs]
action.email.useNSSubject = 1
alert.track = 0
cron_schedule = 38 5 * * *
description = Report only? Yes. This search attempts to search the audit logs to find any use of | loadjob of | savedsearch within the audit logs. macro substitution is not used but could be included (although I'm unsure how often someone calls a | savedsearch or | loadjob via a macro)
dispatch.earliest_time = -24h-5m@
dispatch.latest_time = -5m@m
display.events.fields = ["index","sourcetype","host"]
display.general.type = statistics
enableSched = 0
realtime_schedule = 0
request.ui_dispatch_app = SplunkAdmins
request.ui_dispatch_view = search
search = index=_audit "info=completed" search_id!="'SummaryDirector_*" search_id!="'rsa_*" search_id!="'RemoteStorageRetrieveBuckets_*" search_id!="'RemoteStorageRetrieveIndexes*" search_id!="'ta_*" \
| rex "(?s), search='(?P<search>.*)\]$" \
| rex field=search mode=sed "s/\n/ /g" \
| rex field=search mode=sed "s/```.*?```/ /g" \
| eval search=if(substr(search,len(search),len(search)-1)=="'",substr(search,0,len(search)-1),search) \
| eval search_id=replace(search_id,"'","") \
| regex search="\|\s*loadjob\s*savedsearch=|\|\s*savedsearch" \
| rex field=search "\|\s*savedsearch\s+(\"(?P<identified_savedsearch_name>[^\"']+)\"|(?P<identified_savedsearch_name2>[^ ']+))" \
| rex field=search "\|\s*loadjob savedsearch=\"[^:]+:[^:]+:(?P<identified_savedsearch_name3>[^\"]+)" \
| eval identified_savedsearch_name=coalesce(identified_savedsearch_name,identified_savedsearch_name2,identified_savedsearch_name3) \
| where isnotnull(identified_savedsearch_name)\
| search NOT identified_savedsearch_name IN ("instrumentation.topology*", "instrumentation.usage*", "instrumentation.upgrade*", "instrumentation.deployment*", "instrumentation.performance*", "instrumentation.app*", "instrumentation.licensing*", "instrumentation.authentication*")\
| eval method=if(isnull(identified_savedsearch_name3),"savedsearch","loadjob")\
| eval search_head=host \
| eval env=`search_head_cluster`\
| stats values(savedsearch_name) AS calling_savedsearch_name by _time, user, provenance, mode, app, identified_savedsearch_name, env, method

0 comments on commit 81d7cd6

Please sign in to comment.