Splunk search for Creation Date of a Scheduled Search

Copy
index=_audit sourcetype=audittrail savedsearch_name=<insert search title> earliest=-365d | stats earliest(_time) as created | eval created=strftime(created,"%m/%d/%Y %H:%M:%S")
This search will tell you the first time that a scheduled search ran. It assumes several things. First: the search was created within the last year, second: your audit index retention period is at least one year. To use the search replace with the search you're interested in looking at. Recommend to run this search in fast mode as it looks over a very long time period.
0 comments

Category:

General Splunk


Tags:

administration audit saved searches

Search Commands:

Sign in or Register to submit a comment