Splunk Cloud Platform

How to list all alerts, reports and dashboard via Splunk query?

Marta88
Explorer

Hi,

is it possible to get the list of splunk alerts, reports and dashboard via 3 different splunk queries?

Thank you

Kind regards

Marta

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can get these using the rest api

Alerts

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where alert_type!="always"
| table title

Reports

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where alert_type="always"
| table title

Dashboards

| rest /servicesNS/-/-/data/ui/views
| table title

 

0 Karma

Marta88
Explorer

Hi,

thank you for your answer. But, I tested your queries on my environment (Splunk Cloud) and they return more objects than those that are listed in settings--> reports, and so on.

e.g :

216 vs 118 alerts

373 vs 34 reports

852 vs 106 dashboards

Is there a way to narrow the results?

Kind regards

Marta

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can do whatever you want with the results - 

The -/- parameters specify the user and app you want to restrict the results to.

You can either restrict the results returned by specifying an app context you want the results returned for, or simply put in additional search or where clauses to see what results you want and which you don't

If you change the table command at the end to 

| table title *

you will see all the data about each object.

If you do

| head 1
| transpose 0
| where len('row 1')>0

you will get the output from a single result and you can see what fields are available in the first column and values of the fields in the second.

 

0 Karma

Marta88
Explorer

Thank you for your answer, the problem is that the total numbers that I get from the query do not coincide with the totals (for all apps and for all users) that I get from the settings view.

thank you

Best regards

Marta

0 Karma

bowesmana
SplunkTrust
SplunkTrust

When you view the settings page it will show you data from your context - if you use the REST API as written it will show you all for the context of any user - you should be able to see a specific entry that is returned from the REST API to understand the difference.

| rest splunk_server=local /servicesNS/-/-/saved/searches 

The -/- is any user/all apps, so if you replace the first - with your user name you may see different results

| rest splunk_server=local /servicesNS/your_user/-/saved/searches 
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...