Other Usage

Report vs Alert in REST API for saved searches

catchaj88
Explorer

I queried the /servicesNS/-/-/saved/searches GET API and got a number of responses which included saved searches listed under Reports and Alerts on the front end. I took the response for one of the alerts, extracted the relevant information (without changing any values) and did a POST to /servicesNS/{owner}/{app}/saved/searches/{name}. After I did the POST, the saved search is now showing up under Report on the UI.

0 Karma

AVOLLMER
Explorer

I used this to determine if the saved search was a report or an alert:
| eval ss_type=if((NOT 'action'=="*" AND NOT alert_track=="*" AND NOT alert_condition=="*" AND 'alert_type'=="always"),"report","alert")
it may just be when 'alert_type'=="always" but I added the others to be safe. I needed to do this to create clickable links that would open the report or alert . So you might want to check if it has these values, which would cause it to be recognized as a report.

danielbb
Motivator

It's an old thread, but is alert_type=="always" enough to determine that a saved search is an alert?

0 Karma

danielbb
Motivator

Apparently, it's the other way around - alert_type == "always", means that the saved search is a report, because it always fires and therefore to detect alerts we need to use alert_type != "always", in cases when alert_type == "number of events" etc.

0 Karma

emottola
Explorer

The thread is even older now, but I also found you need to specify  `'alert.suppress': 0` when posting to `/servicesNS/{owner}/{app}/saved/searches/` to make sure it's an alert and not a report.
In total, I specified at least the below parameters to create an alert

 

{
    'is_scheduled': 1,
    'cron_schedule': '09-59/10 * * * *',
    'alert_comparator': 'greater than',
    'alert_threshold': 5,
    'alert_type': 'number of events',
    'alert.suppress': 0,
}

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...