Splunk : Rest Command to fetch out all adhoc or unsaved searches performed on Splunk

Question

Is there any Rest query in Splunk to fetch the unsaved / adhoc searches performed on Splunk.

To give you a background,

team is trying to understand the load patterns and we are able to figure out how to find out saved searches performed with below links .

How ever we need some help in getting the unsaved / adhoc searches performed by all users on Splunk

| rest /servicesNS/-/-/saved/searches splunk_server=local

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-apps-using/m-p/162615

https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-without/m-p/508688

Above query fetches saved searches, but we need help in fetching unsaved / adhoc searches

Answer 1

There is no REST endpoint that returns information about ad-hoc searches. You can, however, use REST to submit a job that searches the audit logs for that information.

Another option is to create your own REST endpoint. See https://dev.splunk.com/enterprise/docs/devtools/customrestendpoints/ for more information about that.