Hi,

thank you for your answer. But, I tested your queries on my environment (Splunk Cloud) and they return more objects than those that are listed in settings--> reports, and so on.

e.g :

216 vs 118 alerts

373 vs 34 reports

852 vs 106 dashboards

Is there a way to narrow the results?

Kind regards

Marta

You can do whatever you want with the results - 

The -/- parameters specify the user and app you want to restrict the results to.

You can either restrict the results returned by specifying an app context you want the results returned for, or simply put in additional search or where clauses to see what results you want and which you don't

If you change the table command at the end to 

| table title *

you will see all the data about each object.

If you do

| head 1
| transpose 0
| where len('row 1')>0

you will get the output from a single result and you can see what fields are available in the first column and values of the fields in the second.

Thank you for your answer, the problem is that the total numbers that I get from the query do not coincide with the totals (for all apps and for all users) that I get from the settings view.

thank you

Best regards

Marta

When you view the settings page it will show you data from your context - if you use the REST API as written it will show you all for the context of any user - you should be able to see a specific entry that is returned from the REST API to understand the difference.

| rest splunk_server=local /servicesNS/-/-/saved/searches 

The -/- is any user/all apps, so if you replace the first - with your user name you may see different results

| rest splunk_server=local /servicesNS/your_user/-/saved/searches