Splunk Enterprise

Search with Rest API to list all alerts, reports and dashoboard of a specific app

SplunkExplorer
Contributor

Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app.

Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other.

Let me be more specific.

I know that, for such kind of search, the base string is:

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title

Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case).

So, if I execute above search, I got more or less 450 results.
So, what about if I need to filter? Very simple:

| rest splunk_server=local /servicesNS/-/<app name here>/saved/searches 
| table title

That should return all and only saved searches for requested app (a custom one in my cases). 
Problem: app I need info has 119 saved searches (checked on GUI in related page)
Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps. 
Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need. 

So, my question is: what can be the root cause of this behavior, if searches ownership is correct?

0 Karma

SplunkExplorer
Contributor

Ok, for the first time I don't know which answer should I label as solution XD

That because both @isoutamo and @dural_yyz hints helped me to build the final searche.
Final result is:

| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=<app name here>" 
| rename "alert.track" as alert_track 
| eval type=case(alert_track=1, "alert", 
    (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", 
    (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 
    true(), "report") 
| table title, type

With this, I can get a table with searches title and its typology, I mean alert or report.

Thanks to both!

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
On GUI there are separate tabs for alerts and reports, but when you are querying those with rest, then you got those both at the same time.
Here is old post which tell how you could try to identify which is alert and which is report. https://community.splunk.com/t5/Monitoring-Splunk/How-do-I-export-all-alerts-to-csv-or-pdf/m-p/62922...
r. Ismo

dural_yyz
Builder

Not sure why your example is not working with the reduced list you expect, I get similar results from what you try plus here is an alternate for you to try.

| rest splunk_server=local /servicesNS/-/search/saved/searches
| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches search="eai:acl.app=search"
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...