So jumping into this search question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/save...
See more...
So jumping into this search question https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/288845 my search I am using: | rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 |table title, disabled, action.hangout_chat_alert, action.email I came a across the question of there is any documentation on what the 1, 0 or Blank means? on some of the fields . I have this alert that only has HangoutChat alert setup when I run this query below It shows title disabled=0 action.hangout_chat_alert=0 and action.email=0 I'm confused as to why email and hangout are returning the value 0 shouldn't it be like. disabled = 0 is returning me all alerts that are active and 1 is alerts that are actually disabled. title disabled=0 action.hangout_chat_alert=0 and action.email=blank my understanding with the 1 , 0 , and blank is 1 is enabled 0 is disabled and blank is that it was not setup with that action. Now on the original post you can see Mr @woodcock is explaining below that alert.track=1 means its a alert and 0 means its a report. with all the other ones I don't believe it works the same . is there a documentation that has this topic covered? and how does my alert above fall into with action.email=0 even though I clearly have not set that action with my alert. only hangoutchat as the action. ALL APPS: |rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule Search app only: |rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule