https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369659#M1273 <P>I used this to determine if the saved search was a report or an alert:<BR /> <CODE>| eval ss_type=if((NOT 'action'=="*" AND NOT alert_track=="*" AND NOT alert_condition=="*" AND 'alert_type'=="always"),"report","alert")</CODE><BR /> it may just be when 'alert_type'=="always" but I added the others to be safe. I needed to do this to create clickable links that would open the report or alert . So you might want to check if it has these values, which would cause it to be recognized as a report.</P> Tue, 30 Jan 2018 22:18:42 GMT AVOLLMER 2018-01-30T22:18:42Z https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369658#M1272 <P>I queried the /servicesNS/-/-/saved/searches GET API and got a number of responses which included saved searches listed under Reports and Alerts on the front end. I took the response for one of the alerts, extracted the relevant information (without changing any values) and did a POST to /servicesNS/{owner}/{app}/saved/searches/{name}. After I did the POST, the saved search is now showing up under Report on the UI.</P> Tue, 02 Jan 2018 15:23:47 GMT https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369658#M1272 catchaj88 2018-01-02T15:23:47Z https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369659#M1273 <P>I used this to determine if the saved search was a report or an alert:<BR /> <CODE>| eval ss_type=if((NOT 'action'=="*" AND NOT alert_track=="*" AND NOT alert_condition=="*" AND 'alert_type'=="always"),"report","alert")</CODE><BR /> it may just be when 'alert_type'=="always" but I added the others to be safe. I needed to do this to create clickable links that would open the report or alert . So you might want to check if it has these values, which would cause it to be recognized as a report.</P> Tue, 30 Jan 2018 22:18:42 GMT https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369659#M1273 AVOLLMER 2018-01-30T22:18:42Z https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369660#M1274 <P>It's an old thread, but is <CODE>alert_type=="always"</CODE> enough to determine that a saved search is an alert?</P> Wed, 20 Nov 2019 16:51:20 GMT https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369660#M1274 danielbb 2019-11-20T16:51:20Z https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369661#M1275 <P>Apparently, it's the other way around - <CODE>alert_type == "always"</CODE>, means that the saved search is a report, because it always fires and therefore to detect alerts we need to use <CODE>alert_type != "always"</CODE>, in cases when <CODE>alert_type == "number of events"</CODE> etc. </P> Wed, 20 Nov 2019 18:07:29 GMT https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/369661#M1275 danielbb 2019-11-20T18:07:29Z https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/576778#M1276 <P>The thread is even older now, but I also found you need to specify&nbsp; `<SPAN>'alert.suppress'</SPAN><SPAN>: </SPAN><SPAN>0</SPAN><SPAN>` when posting to `<SPAN>/servicesNS/{owner}/{app}/saved/searches/</SPAN></SPAN><SPAN>` to make sure it's an alert and not a report.<BR />In total, I specified at least the below parameters to create an alert</SPAN></P><P>&nbsp;</P><LI-CODE lang="python">{ 'is_scheduled': 1, 'cron_schedule': '09-59/10 * * * *', 'alert_comparator': 'greater than', 'alert_threshold': 5, 'alert_type': 'number of events', 'alert.suppress': 0, }</LI-CODE><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Tue, 30 Nov 2021 16:57:34 GMT https://community.splunk.com/t5/Other-Usage/Report-vs-Alert-in-REST-API-for-saved-searches/m-p/576778#M1276 emottola 2021-11-30T16:57:34Z