Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does a search variable in filter exception within search command require special handling?

pm771
Communicator
‎07-28-2022 09:45 AM

This is my 2nd follow-up regarding this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...  

My question now is about the search field (that contains the actual Splunk query behind each alert).  Does this field require any special handling?

If I need to use this field for filtering purposes inside a search command, would it be different than using any other field like title.

Or can I simply use something like following:

 

|rest/servicesNS/-/-/saved/searches | search alert.track=1 AND title="prefix*" AND search="index=someindex*"

 



 

0 Karma
Reply

pm771
Communicator
‎07-28-2022 02:43 PM

@richgalloway 

I understand that. My question was specific to search field that that is a part of REST call return. 

Is REST call similar to sub-search in regards to the special meaning of search field?

Like something similar to https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2022 05:34 PM

It's just a field.  There's nothing wrong or special about 

| search search=foo
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2022 11:02 AM

When you run a query without a leading | character you are running an implicit search command.  Explicit search commands are very much the same.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top