Hi
I am not having much luck.
I want to find all schedule reports and alerts that use a specific index (e.g. index=foo) or the name contains a keyword (e.g. fooBar).
I tried the _audit index
index=_audit search = *"index=foo"* OR savedsearch_name=*fooBAR* provenance=scheduler | stats values(savedsearch_name)
I get some of the alerts (hopefully "provenance = scheduler" means it is scheduled) but I was looking for a better way, maybe with >> |rest
| rest /servicesNS/-/search/saved/searches
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index=(?<indexName>.[^\s]+)"
| search indexName=foo
However I am not having much luck getting alerts that contain "index=foo" in the search field.
Any advice appreciated.
Thank you
Hi @Glasses2,
you can try something like this
| rest /servicesNS/-/search/saved/searches
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index\s*\=\s*(?<indexname>\w+)"
| search indexname="foo"
| table search
Ciao.
Giuseppe
Hi @Glasses2,
you can try something like this
| rest /servicesNS/-/search/saved/searches
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search "index\s*\=\s*(?<indexname>\w+)"
| search indexname="foo"
| table search
Ciao.
Giuseppe
That rest call should work if you have index=foo in your data, but if you have index="foo" then it won't or if your index statement is in a macro used by the search it won't either.
The 'is_scheduled' field also exists to say if it's scheduled or not and the disabled flag 1 or 0.
Thank you for confirming. Do you know if
provenance=scheduler
in the _audit logs is equivalent to is_scheduled=1 with | rest search?
I don't know - sorry