This is my 2nd follow-up regarding this solution: https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...
My question now is about the search field (that contains the actual Splunk query behind each alert). Does this field require any special handling?
If I need to use this field for filtering purposes inside a search command, would it be different than using any other field like title.
Or can I simply use something like following:
|rest/servicesNS/-/-/saved/searches | search alert.track=1 AND title="prefix*" AND search="index=someindex*"
@richgalloway
I understand that. My question was specific to search field that that is a part of REST call return.
Is REST call similar to sub-search in regards to the special meaning of search field?
Like something similar to https://community.splunk.com/t5/Splunk-Search/Subsearch-fields-quot-query-quot-quot-search-quot-How-...
It's just a field. There's nothing wrong or special about
| search search=foo
When you run a query without a leading | character you are running an implicit search command. Explicit search commands are very much the same.