https://community.splunk.com/t5/Splunk-Search/Questions-on-query-to-get-all-alerts-which-are-configured-in/m-p/712287#M240318 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256484">@Cheng2Ready</a>&nbsp;</P><P>If you have a look in $SPLUNK_HOME/etc/system/default/savedsearches.conf - you can see some of the default values for items you're referring to, for example:</P><LI-CODE lang="markup">action.email = 0 action.populate_lookup = 0 action.rss = 0 action.script = 0</LI-CODE><P>This ultimately means these arent configured, because if they were configured for a specific report/search/alert then the value would be updated to 1.</P><P>Not all variables are alike - Developers who create and share their own alert actions might use different default values (e.g. blank instead of 0).</P><P>Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.<BR />Regards</P><P>Will</P> Sat, 22 Feb 2025 06:57:01 GMT livehybrid 2025-02-22T06:57:01Z https://community.splunk.com/t5/Splunk-Search/Questions-on-query-to-get-all-alerts-which-are-configured-in/m-p/712270#M240314 <P>So jumping into this search&nbsp; question<BR /><A href="https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845" target="_blank" rel="noopener">https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845</A><BR /><BR />my search I am using:<BR />| rest /servicesNS/-/-/saved/searches splunk_server=local<BR />| search disabled=0<BR />|table title, disabled, action.hangout_chat_alert, action.email<BR /><BR />I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields .<BR />I have this alert that only has HangoutChat alert setup<BR />when I run this query below It shows<BR /><BR />title<BR />disabled=0&nbsp;<BR />action.hangout_chat_alert=0<BR />and action.email=0<BR /><BR />I'm confused as to why email and hangout are returning the value 0<BR />shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled.<BR /><BR />title<BR />disabled=0&nbsp;<BR />action.hangout_chat_alert=0<BR />and action.email=blank<BR /><BR />my understanding with the 1 , 0 , and blank is<BR />1 is enabled<BR />0 is disabled<BR />and blank is that it was not setup with that action.<BR /><BR />Now on the original post<BR />you can see Mr <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>&nbsp;is explaining below that alert.track=1 means its a alert and 0 means its a report.<BR />with all the other ones I don't believe it works the same .<BR />is there a documentation that has this topic covered?<BR /><BR />and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert.&nbsp; only hangoutchat as the action.<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cheng2Ready_0-1740179523497.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34663i52290981A823F854/image-size/medium?v=v2&amp;px=400" role="button" title="Cheng2Ready_0-1740179523497.png" alt="Cheng2Ready_0-1740179523497.png" /></span></P><P>&nbsp;</P><P><BR /><BR /><BR /><BR /><BR />ALL APPS:</P><PRE>|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule</PRE><P>Search app only:</P><PRE>|rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule</PRE><P>&nbsp;</P> Fri, 21 Feb 2025 23:24:29 GMT https://community.splunk.com/t5/Splunk-Search/Questions-on-query-to-get-all-alerts-which-are-configured-in/m-p/712270#M240314 Cheng2Ready 2025-02-21T23:24:29Z https://community.splunk.com/t5/Splunk-Search/Questions-on-query-to-get-all-alerts-which-are-configured-in/m-p/712287#M240318 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256484">@Cheng2Ready</a>&nbsp;</P><P>If you have a look in $SPLUNK_HOME/etc/system/default/savedsearches.conf - you can see some of the default values for items you're referring to, for example:</P><LI-CODE lang="markup">action.email = 0 action.populate_lookup = 0 action.rss = 0 action.script = 0</LI-CODE><P>This ultimately means these arent configured, because if they were configured for a specific report/search/alert then the value would be updated to 1.</P><P>Not all variables are alike - Developers who create and share their own alert actions might use different default values (e.g. blank instead of 0).</P><P>Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.<BR />Regards</P><P>Will</P> Sat, 22 Feb 2025 06:57:01 GMT https://community.splunk.com/t5/Splunk-Search/Questions-on-query-to-get-all-alerts-which-are-configured-in/m-p/712287#M240318 livehybrid 2025-02-22T06:57:01Z