Hi,
I got confused when running the following search to identify what are the enabled searches in the environment :
| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| table csearch_name, csearch_label, app, security_domain, description
Because I got a complete different result when I added:
disabled=0
Apparently, there are correlation searches with action.correlationsearch.enabled=1 and disabled=1 at the same time... what does that mean? I found the searches disabled from the content management, so why is the action.correlationsearch.enabled equals to 1?
The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).
The disabled setting specifies whether or not the *search* is active (0) or not (1).
The action.correlationsearch.enabled setting specifies whether or not the *action* is active (1) or not (0).
The disabled setting specifies whether or not the *search* is active (0) or not (1).