Splunk Search

REST endpoint for SAVED SEARCHES - FILTERING

IAskALotOfQs
Path Finder

Hi all, I'm trying to get all the saved searches in Splunk that are in all apps. Could someone explain to me what the endpoint servicesNS/-/-/saved/searches  is and what data is returned.

 

 

For reference I've tried to use that endpoint and match it with saved searches only (reports) and not to return any alerts.  But the data returned has a lot more than expected as the number in the "reports" tab under "all apps" is a lot smaller than the number returned from the REST call

 

Any help or link to docs would be appreciated

 

Labels (3)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

That endpoint returns information about all saved searches in all apps.  See the REST API Reference Manual for an explanation of the data returned.

Note that reports and alerts are both saved searches.  Reports are distinguished by the attribute alert_type=always, but there may be other indicators.

---
If this reply helps you, Karma would be appreciated.

IAskALotOfQs
Path Finder

What other indicators would there be that distinguish it to reports only?

 

And also how do you know that "alert_type=always" is an attribute that singles out reports, can't find this info anywhere 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best.

You won't find this information documented.  It's tribal knowledge and now you're part of the tribe.  🙂  Seriously, you can use your browser's console to view the REST commands sent for the UI's Searches, Reports, and Alerts dashboard to see how the two types are differentiated.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...