So basically, I'm looking to effectively export/retrieve all content from Settings>Searches, Reports, and Alerts. Basically looking to build a reference document to list my alerts/reports with the underlying search. Is there a simple way to pull these from a location in the OS file structure instead of manually recording them from the UI? Tedious task, I know!
Splunk stores knowledge objects in conf files. Saved search and alerts can be found in savedsearches.conf.
The location of the file depends on the permissions ie; if user hasn't shared the search then it will be under user's directory, if it's shared in app, it will be in etc/apps/appname default or local directory
or just run
splunk cmd btool --debug savedsearches list
or use rest
| rest /servicesNS/-/-/saved/searches splunk_server=local
remark, with a btool you will only find the public or shared saved searches
from the system $SPLUNK_HOME/etc/system/(local|default)/savedsearches.conf
and from the apps $SPLUNK_HOME/etc/apps/(appname)/(local|default)/savedsearches.conf
If you want to find the "private" saved searched, you have to go in each profile
from $SPLUNK_HOME/etc/users/(username)/(appname)/(local|default)/savedsearches.conf