Updated regex

Author: gjanders

README.md

@@ -360,6 +360,13 @@ Feel free to open an issue on github or use the contact author on the SplunkBase
 
 ## Release Notes
 ### 4.0.6
+Updated reports/alerts:
+- `AllSplunkEnterpriseLevel - Splunk Scheduler excessive delays in executing search`
+- `AllSplunkEnterpriseLevel - sendmodalert errors`
+- `SearchHeadLevel - Alerts that have not fired an action in X days
+- `SearchHeadLevel - Scheduled Search Efficiency`
+
+To extract savedsearch_name (as I found you can have savedsearches with double quotes in the title)
 
 ### 4.0.5
 New alerts:

default/savedsearches.conf

@@ -1604,6 +1604,7 @@ index=_internal `splunkenterprisehosts` sourcetype=scheduler app=* scheduled_tim
 | eval time=strftime(_time,"%+") \
 | eval delay_in_start = (dispatch_time - scheduled_time) \
 | where delay_in_start>100\
+| rex "savedsearch_id=\"[^;]+;[^;]+;(?P<savedsearch_name>.*?)\"," \
 | eval scheduled_time=strftime(scheduled_time,"%+") \
 | eval dispatch_time=strftime(dispatch_time,"%+") \
 | rename time AS endTime \
@@ -1970,6 +1971,7 @@ request.ui_dispatch_view = search
 search = ```Attempt to find alerts that are scheduled but not firing any actions, the alerts may need further review or may no longer be required. The app regex is in here because of some creative alert naming, X:app=Y is a real alert name in my environment!```\
 index=_internal source="*scheduler.log" sourcetype=scheduler `searchheadhosts` alert_actions!="" \
 | rex ", app=\"(?P<app>[^\"]+)\","\
+| rex "savedsearch_id=\"[^;]+;[^;]+;(?P<savedsearch_name>.*?)\"," \
 | stats count by savedsearch_name, app \
 | append \
     [| rest `splunkadmins_restmacro` /servicesNS/-/-/saved/searches \
@@ -2245,7 +2247,7 @@ OR "sendmodalert - Invoking modular alert action"\
 `splunkadmins_sendmodalert_errors`\
 | rex field=results_file "[/\\\]dispatch[/\\\](?P<sid>[^/]+)"\
 | eval sid=if(isnull(sid),"NOMATCH",sid)\
-| join sid type=outer [search index=_internal source="*scheduler.log" sourcetype=scheduler `splunkenterprisehosts` | table sid, savedsearch_name, app, user]\
+| join sid type=outer [search index=_internal source="*scheduler.log" sourcetype=scheduler `splunkenterprisehosts` | rex "savedsearch_id=\"[^;]+;[^;]+;(?P<savedsearch_name>.*?)\"," | table sid, savedsearch_name, app, user]\
 | cluster showcount=true\
 | table host, savedsearch_name, app, user, _raw, _time, cluster_count\
 | eval mostRecent = strftime(mostRecent, "%+")\
@@ -4067,6 +4069,7 @@ request.ui_dispatch_view = search
 search = ```This likely came from a Splunk conf presentation but I cannot remember which one so cannot attribute the original author!\
 Determine the length of time a scheduled search takes to run compared to how often it is configured to run, excluding acceleration jobs```\
 index=_internal `searchheadhosts` sourcetype=scheduler source=*scheduler.log (user=*) savedsearch_name!="_ACCELERATE_DM*"\
+| rex "savedsearch_id=\"[^;]+;[^;]+;(?P<savedsearch_name>.*?)\"," \
 | stats avg(run_time) as average_runtime_in_sec count(savedsearch_name) as num_times_per_week sum(run_time) as total_runtime_sec by savedsearch_name user app host\
 | eval ran_every_x_mins=round(60/(num_times_per_week/168))\
 | eval average_runtime_duration=tostring(round(average_runtime_in_sec/60,2), "duration")\