Hi All,
So, I know I can get a list of all enabled saved searches by doing:
| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0 | table title
However, I want to list all enabled saved searches from all Apps, which are NOT "correlation searches". Any idea how to implement such query?
A correlation search is the same as a saved search. The only distinction is the app context. You can use the regex command to filter on eai:acl.app, but you'll have to come up with a regular expression that matches only ES apps. Something like this (which filters too much)
| rest count=0 /servicesNS/-/-/saved/searches | search disabled=0
| regex eai:acl.app!="(DA-ESS)|(SA-)"
| table title
Thanks richgalloway!
So, can I safely assume that a correlation search is only related to SplunkES and simply negate other apps in my queries?
I also wonder how the UI returns specifically "Correlation Searches"\"Saved Searches"\etc... when searching via the "content management" UI. Any idea how I can mimic this behaviour?
I dug further into my notes and found this query.
| rest splunk_server=local count=0 /services/saved/searches
| where NOT 'action.correlationsearch.enabled'=1