Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that commu...
See more...
Hi Splunkers, as per thread title, I need to build one or more searches that show me, for a specific app, all alerts, reports and dashboards owned by a specific app. Now, I know very well that community is full of topic with this problem and related answer. The issue is the following: no one works properly, in my cases. This because, when I run the search, If I specify the app, I got "mixed" results: I mean, I got an output composed by alerts owned app I'm searching for, but also other. Let me be more specific. I know that, for such kind of search, the base string is: | rest splunk_server=local /servicesNS/-/-/saved/searches
| table title Whis means: ehy, return me all saved searches for all apps on local Splunk Server (a SH, in my case). So, if I execute above search, I got more or less 450 results. So, what about if I need to filter? Very simple: | rest splunk_server=local /servicesNS/-/<app name here>/saved/searches
| table title That should return all and only saved searches for requested app (a custom one in my cases). Problem: app I need info has 119 saved searches (checked on GUI in related page) Above query return me a total amount of 256; analyzing the output, it return me searches owned by other apps. Of course, I have already performed the obvious check, which is: am I sure that searches in output belongs to different apps and are not all for the one I'm searching for? Yes, I checked and on outpur result there are also Enterprise Security Searches, so for sure search is returning me more data than the one I need. So, my question is: what can be the root cause of this behavior, if searches ownership is correct?