We see lots of alerts right now. So I thought I would develop a dashboard that quickly searches through the alert configurations themselves, see if I can spot any trends. While I'm at it, find data on when they were fired.
I read that alert configurations end up on savedsearches.conf, but how do I search that? Is this even possible?
I have a feeling it involves a REST command, but the ones I'm writing return other data than I want. Or else I'm searching the _internal index.
Thanks!
To search the savedsearches.conf file, start with
| rest /services/configs/conf-savedsearches
If you'd rather not re-invent the wheel, there are apps on splunkbase that may help. See Search Activity (https://splunkbase.splunk.com/app/2632/) and Config Quest (https://splunkbase.splunk.com/app/3696/)