Difference between Alert and search objects?

drangarajan · ‎10-06-2014

Hi,

I'm using splunk's rest api to access Splunk objects. The goal is to disable/enable saved alerts(not all search objects) based on the title inputted. The approach I have taken is to access

https://localhost:8089/servicesNS/admin/search/saved/searches/

and compare the titles. But the requirement is to disable the object only if it is an Alert(the ones displayed in this page

http://localhost:8000/en-US/app/search/alerts

This is just a subset of the results displayed in

http://localhost:8000/en-US/manager/launcher/saved/searches?ns=-&pwnr=-&search=&app_only=1

I'm checking to see if property "actions" is not empty or property "alert.track" is "1" to check if it is an alert. But it looks like a new search query with some conditions added is also displayed in the alerts page.

So I would like to know if there is a combination of properties that I can use to distinguish an alert from a search object?

jackscratch · ‎03-26-2015

Is it a namespace issue?

Try here
https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html

You need to use namespace wildcards to get all the searches (run as admin), I've added a filter to only load searches that have the email action enabled:
 | rest /servicesNS/-/-/saved/searches search="action.email=1" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule action.email*

I also found these pages helpful

http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch

http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples

Difference between Alert and search objects?

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?