Currently we are having 82 active rules/use cases in splunk and few of them were disabled. I was trying to pull the report of all the 82 rules but i couldn't able to do. I would requesting you to help me out on this...?
Thanks in advance,
You don't say where are finding 82 so I can't advise about the difference.
The status of each alert is in the "disabled" field.
Start with this query then add a table command to display the fields you care about.
| rest /servicesNS/-/-/saved/searches splunk_server=local | search alert_type!="always"
Thanks for you hear back...!
The below mentioned quire is showing 182 rules but i could see in the setting only 82. is there something we have to add..?
can we get the status (ie enabled or disabled) on this...?