@ramamohangaddam You can use the REST API to update saved searches. POST parameters are documented here: https://docs.splunk.com/Documentation/Splunk/8.1.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D The parameters of interest are alert.track and alert.severity. To enable "Add to Triggered Alerts," set alert.track to 1. The default severity is Medium (3). To change the severity, set alert.severity to the numeric severity value: Info => 1 Low => 2 Medium => 3 High => 4 Critical => 5 E.g. $ curl -k -s -u admin:password 'https://localhost:8089/services/saved/searches/{name}' -d alert.track=1 -d alert.severity=5 Replace {name} with the name of the search. You can enumerate searches in different ways, e.g.: $ curl -k -s -u admin:password 'https://localhost:8089/services/saved/searches?count=0&f=title' $ $SPLUNK_HOME/bin/splunk cmd btool savedsearches list | grep '^\[' | sed -e 's/[][]//g' However, you probably don't want to modify every search on your instance. Generate a list of curl commands using whatever method is easiest for you.
... View more