topic Search with Rest API to list all alerts, reports and dashoboard of a specific app in Splunk Enterprise

Search with Rest API to list all alerts, reports and dashoboard of a specific app

SplunkExplorer — Mon, 18 Nov 2024 14:44:59 GMT

Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app.

Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other.

Let me be more specific.

I know that, for such kind of search, the base string is:

| rest splunk_server=local /servicesNS/-/-/saved/searches | table title

Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case).

So, if I execute above search, I got more or less 450 results.
So, what about if I need to filter? Very simple:

| rest splunk_server=local /servicesNS/-/<app name here>/saved/searches | table title

That should return all and only saved searches for requested app (a custom one in my cases).
Problem: app I need info has 119 saved searches (checked on GUI in related page)
Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps.
Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need.

So, my question is: what can be the root cause of this behavior, if searches ownership is correct?

Re: Search with Rest API to list all alerts, reports and dashoboard of a specific app

dural_yyz — Mon, 18 Nov 2024 16:10:06 GMT

Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try.

| rest splunk_server=local /servicesNS/-/search/saved/searches
| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=search"

Re: Search with Rest API to list all alerts, reports and dashoboard of a specific app

isoutamo — Mon, 18 Nov 2024 18:11:02 GMT

Hi
On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time.
Here is old post which tell how you could try to identify which is alert and which is report. https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-export-all-alerts-to-csv-or-pdf/m-p/629226#M9319
r. Ismo

Re: Search with Rest API to list all alerts, reports and dashoboard of a specific app

SplunkExplorer — Tue, 19 Nov 2024 08:53:18 GMT

Ok, for the first time I don't know which answer should I label as solution XD

That because both @isoutamo and @dural_yyz hints helped me to build the final searche.
Final result is:

| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=<app name here>" | rename "alert.track" as alert_track | eval type=case(alert_track=1, "alert", (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", true(), "report") | table title, type

With this, I can get a table with searches title and its typology, I mean alert or report.

Thanks to both!