Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REST endpoint for SAVED SEARCHES - FILTERING

IAskALotOfQs
Path Finder
‎05-14-2024 01:43 AM

Hi all, I'm trying to get all the saved searches in Splunk that are in all apps. Could someone explain to me what the endpoint servicesNS/-/-/saved/searches  is and what data is returned.

 

 

For reference I've tried to use that endpoint and match it with saved searches only (reports) and not to return any alerts.  But the data returned has a lot more than expected as the number in the "reports" tab under "all apps" is a lot smaller than the number returned from the REST call

 

Any help or link to docs would be appreciated

 

Labels (3)
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2024 05:27 AM

That endpoint returns information about all saved searches in all apps.  See the REST API Reference Manual for an explanation of the data returned.

Note that reports and alerts are both saved searches.  Reports are distinguished by the attribute alert_type=always, but there may be other indicators.

---
If this reply helps you, Karma would be appreciated.
Reply

IAskALotOfQs
Path Finder
‎05-14-2024 06:15 AM

What other indicators would there be that distinguish it to reports only?

 

And also how do you know that "alert_type=always" is an attribute that singles out reports, can't find this info anywhere 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2024 06:44 AM

Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best.

You won't find this information documented.  It's tribal knowledge and now you're part of the tribe.  🙂  Seriously, you can use your browser's console to view the REST commands sent for the UI's Searches, Reports, and Alerts dashboard to see how the two types are differentiated.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...