Reporting
Highlighted

Report vs Alert in REST API for saved searches

Explorer

I queried the /servicesNS/-/-/saved/searches GET API and got a number of responses which included saved searches listed under Reports and Alerts on the front end. I took the response for one of the alerts, extracted the relevant information (without changing any values) and did a POST to /servicesNS/{owner}/{app}/saved/searches/{name}. After I did the POST, the saved search is now showing up under Report on the UI.

0 Karma
Highlighted

Re: Report vs Alert in REST API for saved searches

Explorer

I used this to determine if the saved search was a report or an alert:
| eval ss_type=if((NOT 'action'=="*" AND NOT alert_track=="*" AND NOT alert_condition=="*" AND 'alert_type'=="always"),"report","alert")
it may just be when 'alert_type'=="always" but I added the others to be safe. I needed to do this to create clickable links that would open the report or alert . So you might want to check if it has these values, which would cause it to be recognized as a report.

Highlighted

Re: Report vs Alert in REST API for saved searches

Motivator

It's an old thread, but is alert_type=="always" enough to determine that a saved search is an alert?

0 Karma
Highlighted

Re: Report vs Alert in REST API for saved searches

Motivator

Apparently, it's the other way around - alert_type == "always", means that the saved search is a report, because it always fires and therefore to detect alerts we need to use alert_type != "always", in cases when alert_type == "number of events" etc.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.