Splunk search for Creation Date of a Scheduled Search

index=_audit sourcetype=audittrail savedsearch_name=<insert search title> earliest=-365d | stats earliest(_time) as created | eval created=strftime(created,"%m/%d/%Y %H:%M:%S")
This search will tell you the first time that a scheduled search ran. It assumes several things. First: the search was created within the last year, second: your audit index retention period is at least one year. To use the search replace with the search you're interested in looking at. Recommend to run this search in fast mode as it looks over a very long time period.


General Splunk


administration audit saved searches

Search Commands:

Sign in or Register to submit a comment