Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app.
Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other.
Let me be more specific.
I know that, for such kind of search, the base string is:
| rest splunk_server=local /servicesNS/-/-/saved/searches
| table title
Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case).
So, if I execute above search, I got more or less 450 results.
So, what about if I need to filter? Very simple:
| rest splunk_server=local /servicesNS/-/<app name here>/saved/searches
| table title
That should return all and only saved searches for requested app (a custom one in my cases).
Problem: app I need info has 119 saved searches (checked on GUI in related page)
Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps.
Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need.
So, my question is: what can be the root cause of this behavior, if searches ownership is correct?
Ok, for the first time I don't know which answer should I label as solution XD
That because both @isoutamo and @dural_yyz hints helped me to build the final searche.
Final result is:
| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=<app name here>"
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert",
(isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert",
(isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert",
true(), "report")
| table title, type
With this, I can get a table with searches title and its typology, I mean alert or report.
Thanks to both!
Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try.
| rest splunk_server=local /servicesNS/-/search/saved/searches
| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=search"