I think savedsearches.conf contains information about alerts and reports. If you execute the following btool command and check the result, which is the report or the alert? I can't tell.
if i use splunk btool savedsearches list
<Question 1>
From the btool results, what parameters can I look at to determine that the stanza is a report?
<Question 2>
From the btool results, what parameters can I look at to determine that the stanza is an alert?
alert.track=0 means report.
alert.track=1 means alert.
If the value is auto that means Splunk would determine the value depending on the tracking settings of actions applied (for that see "actions.<some-action>" parameters in the btool output). - most of the time if you see actions its an alert.
alert.track=0 means report.
alert.track=1 means alert.
If the value is auto that means Splunk would determine the value depending on the tracking settings of actions applied (for that see "actions.<some-action>" parameters in the btool output). - most of the time if you see actions its an alert.
Hi
when you are looking for description of savedsearches.con you see
alert.track = <boolean> | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto - determine whether to track or not based on the tracking setting of
each action, do not track scheduled searches that always trigger actions.
* true - force alert tracking.
* false - disable alert tracking for this search.
* Default: auto
I read this that it doesn’t say 100% sure that this always define type of this saved searches. If it true then it’s an alert, but if it’s something else then it can be an alert or report.
r. Ismo
Hi
you already asked this on another thread.
r. Ismo
hi @isoutamo , Thanks alot
i know yes you already answered the question yesterday. but i didn't find it satisfactory.
@VatsalJagani answer gave me the clarity how to distinguish between alert and the report.
Thanks for your response.