Solved: How do I list all the saved searches for an App in...

drdosia · ‎01-23-2015

I have tried this:
| rest /services/saved/searches | table title search
I got only 36 results.
I then tried
| rest /services/saved/searches | table ***
to see all the fields.

**eai:acl.app matches what should show the Splunk App that the saved searches come from.
I got 36 results and eai:acl.app had "search" for all 36 of them. They match the saved searches in the search App.
I was running this as an id with the Admin role that should see all Apps.
I have over 100 Apps with anywhere from 3 to 70 saved searches each.
It does not matter that I am in any particular App (context). I get the same results only showing the 36 from the search App.
How do I list the saved searches from one (or more) of the other Apps?

This is on version 5.03

martin_mueller · ‎01-23-2015

You'll want the servicesNS REST endpoints, like this:

| rest /servicesNS/-/your_app/saved/searches

| rest /servicesNS/your_user/your_app/saved/searches

View solution in original post

martin_mueller · ‎01-23-2015

You'll want the servicesNS REST endpoints, like this:

| rest /servicesNS/-/your_app/saved/searches

| rest /servicesNS/your_user/your_app/saved/searches

drdosia · ‎01-23-2015

Follow-up
The answer by martin_Muller works, but be aware that you need to be logged in as a user that has access to Your_app
| rest /servicesNS/Your_user/Your_app/saved/searches | table eai:acl.app author title search

Note, unless you are an admin role you will not see the "private" non-shared saved searches

Many thanks to martin_mueller for a quick answer!

How do I list all the saved searches for an App in Splunk with rest?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?