Listing all saved searches from all apps via REST ...

karadikid · ‎07-12-2020

Hi All,

So, I know I can get a list of all enabled saved searches by doing:

| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0 | table title

However, I want to list all enabled saved searches from all Apps, which are NOT "correlation searches". Any idea how to implement such query?

richgalloway · ‎07-13-2020

A correlation search is the same as a saved search. The only distinction is the app context. You can use the regex command to filter on eai:acl.app, but you'll have to come up with a regular expression that matches only ES apps. Something like this (which filters too much)

| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0 
| regex eai:acl.app!="(DA-ESS)|(SA-)"
| table title

---
If this reply helps you, Karma would be appreciated.

karadikid · ‎07-14-2020

Thanks richgalloway!

So, can I safely assume that a correlation search is only related to SplunkES and simply negate other apps in my queries?

I also wonder how the UI returns specifically "Correlation Searches"\"Saved Searches"\etc... when searching via the "content management" UI. Any idea how I can mimic this behaviour?

richgalloway · ‎07-14-2020

I dug further into my notes and found this query.

| rest splunk_server=local count=0 /services/saved/searches 
| where NOT 'action.correlationsearch.enabled'=1

---
If this reply helps you, Karma would be appreciated.

Listing all saved searches from all apps via REST without correlation searches

other

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?