Does a search variable in filter exception within ...

pm771 · ‎07-28-2022

This is my 2nd follow-up regarding this solution: https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...

My question now is about the search field (that contains the actual Splunk query behind each alert). Does this field require any special handling?

If I need to use this field for filtering purposes inside a search command, would it be different than using any other field like title.

Or can I simply use something like following:

|rest/servicesNS/-/-/saved/searches | search alert.track=1 AND title="prefix*" AND search="index=someindex*"

pm771 · ‎07-28-2022

@richgalloway

I understand that. My question was specific to search field that that is a part of REST call return.

Is REST call similar to sub-search in regards to the special meaning of search field?

Like something similar to https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...

richgalloway · ‎07-28-2022

It's just a field. There's nothing wrong or special about

| search search=foo

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎07-28-2022

When you run a query without a leading | character you are running an implicit search command. Explicit search commands are very much the same.

---
If this reply helps you, Karma would be appreciated.

Does a search variable in filter exception within search command require special handling?

other

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?