Thanks for your response.
couple of questions
Does saved/searches command also read searches from local/savedsearches.conf?
Where do i add this command? How can i call this from a python script?.
Can i run it using curl?

This is how my alert looks in local/savedsearches.conf. I dont want the password here to be cleartext.

[test-alert]
action.creds_transfer = 1
action.creds_transfer.param.password = coolio
action.creds_transfer.param.username = test
alert.suppress = 0
alert.track = 0
counttype = number of events
cron_schedule = 0 1 * * *
description = test Alert
dispatch.earliest_time = -1d
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = equal to
run_on_startup = 1
search = *

It doesn't work that way.

ok. i tried with
|rest /servicesNS/-/-/saved/searches | where action.creds_transfer.param.username = "aaa"
and it didnt give error but also i did not get any results.
When i do |rest /servicesNS/-/-/saved/searches , I see the results and the value for action.creds_transfer.param.username.
but when i put where clause i do not see any results.
I also tried with other values instead of username and for those too i did not get any results.

is the syntax correct?
Thanks
-Gauri

You have to rot13-encode coolio so use pbbyvb:

http://www.rot13.com

I assumed the whole purpose was to obfuscate plain-text passwords in your search and search results, which this approach does.

i ran this on splunk search
|rest /servicesNS/admin/infoblox/saved/searches action.creds_transfer.param.username = "test" | rex mode=sed field=action.creds_transfer.param.password "y/anbocpdqerfsgthuivjwkxlymz/naobpcqdresftguhviwjxkylzm/ y/NAOBPCQDRESFTGUHVIWJXKYLZM/ANBOCPDQERFSGTHUIVJWKXLYMZ/" | where action.creds_transfer.param.password = "coolio"
it gives me this error:
Error in 'rest' command: Invalid argument: 'action.creds_transfer.param.username'

I had a mistake, please try again with updated answer text.