Splunk Search

Listing all saved searches from all apps via REST without correlation searches

karadikid
Observer

Hi All,

So, I know I can get a list of all enabled saved searches by doing:

| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0 | table title

However, I want to list all enabled saved searches from all Apps, which are NOT "correlation searches". Any idea how to implement such query?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

A correlation search is the same as a saved search.  The only distinction is the app context.  You can use the regex command to filter on eai:acl.app, but you'll have to come up with a regular expression that matches only ES apps.  Something like this (which filters too much)

| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0 
| regex eai:acl.app!="(DA-ESS)|(SA-)"
| table title

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

karadikid
Observer

Thanks richgalloway!

So, can I safely assume that a correlation search is only related to SplunkES and simply negate other apps in my queries?

I also wonder how the UI returns specifically "Correlation Searches"\"Saved Searches"\etc... when searching via the "content management" UI. Any idea how I can mimic this behaviour? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I dug further into my notes and found this query.

| rest splunk_server=local count=0 /services/saved/searches 
| where NOT 'action.correlationsearch.enabled'=1

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma