Re: Filter saved searches for Alerts

tmontney · ‎06-10-2020

Using the API, I cannot tell the difference between reports and alerts. How do I distinguish? A parameter in my request? A property returned in the response?

https://mysplunkserver.local:8089/servicesNS/-/-/saved/searches?count=0

twesty · ‎06-11-2020

You should be able to use the alert_condition field for for this.

Check out the link here for more info on the endpoint 🙂

tmontney · ‎06-12-2020

What values are acceptable for alert_condition? It's blank for all my saved searches. I think this is "Trigger Conditions" where it's set to Custom. I don't have that in any of my alerts.

twesty · ‎06-12-2020

I'd take a look at your REST results and see which fields in action.* are the safest to work with for you. Unfortunately there isnt a field which states THIS IS AN ALERT. There really should be given the UI has such a clear separation between Alerts and Reports and the architecture behind the scenes stores the config in the same place... but that's another conversation for another time 😀

tmontney · ‎06-12-2020

For email, action.email.subject.alert works. Seems like it's only available for alerts. For other alert actions, nothing I can find that distinguishes them.

twesty · ‎06-12-2020

that would work. Just bear in mind that only relying on that one field as your condition will fail if you create an alert which does not send an email

Filter saved searches for Alerts

rest API

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?