REST endpoint for SAVED SEARCHES - FILTERING

IAskALotOfQs

Hi all, I'm trying to get all the saved searches in Splunk that are in all apps. Could someone explain to me what the endpoint servicesNS/-/-/saved/searches is and what data is returned.

For reference I've tried to use that endpoint and match it with saved searches only (reports) and not to return any alerts. But the data returned has a lot more than expected as the number in the "reports" tab under "all apps" is a lot smaller than the number returned from the REST call

Any help or link to docs would be appreciated

richgalloway

That endpoint returns information about all saved searches in all apps. See the REST API Reference Manual for an explanation of the data returned.

Note that reports and alerts are both saved searches. Reports are distinguished by the attribute alert_type=always, but there may be other indicators.

---
If this reply helps you, Karma would be appreciated.

IAskALotOfQs

What other indicators would there be that distinguish it to reports only?

And also how do you know that "alert_type=always" is an attribute that singles out reports, can't find this info anywhere 🙂

richgalloway

Other attributes that *may* distinguish a report include alert.track and alert_condition, but I've found alert_type to be the best.

You won't find this information documented. It's tribal knowledge and now you're part of the tribe. 🙂 Seriously, you can use your browser's console to view the REST commands sent for the UI's Searches, Reports, and Alerts dashboard to see how the two types are differentiated.

---
If this reply helps you, Karma would be appreciated.

REST endpoint for SAVED SEARCHES - FILTERING

metadata

other

search job inspector

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms