https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504167#M9018 <P>For email, <EM>action.email.subject.alert</EM> works. Seems like it's only available for alerts. For other alert actions, nothing I can find that distinguishes them.</P> Fri, 12 Jun 2020 14:29:52 GMT tmontney 2020-06-12T14:29:52Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/503799#M9014 <P>Using the API, I cannot tell the difference between reports and alerts. How do I distinguish? A parameter in my request? A property returned in the response?</P><P><STRONG><FONT size="4"><SPAN><A href="https://mysplunkserver.local:8089/servicesNS/-/-/saved/searches?count=0" target="_blank" rel="noopener">https://mysplunkserver.local:8089/servicesNS/-/-/saved/searches?count=0</A></SPAN></FONT></STRONG></P> Wed, 10 Jun 2020 20:46:05 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/503799#M9014 tmontney 2020-06-10T20:46:05Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504003#M9015 <P>You should be able to use the&nbsp;<I>alert_condition&nbsp;</I>field for for this.</P><P>Check out the link <A title="Splunk Docs" href="https://docs.splunk.com/Documentation/Splunk/7.2.6/RESTREF/RESTsearch#saved.2Fsearches" target="_self">here</A> for more info on the endpoint <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 11 Jun 2020 21:01:45 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504003#M9015 twesty 2020-06-11T21:01:45Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504161#M9016 <P>What values are acceptable for <EM>alert_condition</EM>? It's blank for all my saved searches. I think this is "Trigger Conditions" where it's set to Custom. I don't have that in any of my alerts.</P> Fri, 12 Jun 2020 14:03:35 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504161#M9016 tmontney 2020-06-12T14:03:35Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504163#M9017 <P>I'd take a look at your REST results and see which fields in action.* are the safest to work with for you. Unfortunately there isnt a field which states THIS IS AN ALERT. There really should be given the UI has such a clear separation between Alerts and Reports and the architecture behind the scenes stores the config in the same place... but that's another conversation for another time <span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Fri, 12 Jun 2020 14:14:26 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504163#M9017 twesty 2020-06-12T14:14:26Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504167#M9018 <P>For email, <EM>action.email.subject.alert</EM> works. Seems like it's only available for alerts. For other alert actions, nothing I can find that distinguishes them.</P> Fri, 12 Jun 2020 14:29:52 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504167#M9018 tmontney 2020-06-12T14:29:52Z https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504171#M9019 <P>that would work. Just bear in mind that only relying on that one field as your condition will fail if you create an alert which does not send an email</P> Fri, 12 Jun 2020 14:54:12 GMT https://community.splunk.com/t5/Splunk-Dev/Filter-saved-searches-for-Alerts/m-p/504171#M9019 twesty 2020-06-12T14:54:12Z