Why can't we search within Searches, reports and a...

ddrillic · ‎11-20-2017

When we search within Searches, reports and alerts, we get the entire set of items.

What can it be? As we search for API in this example...

burwell · ‎11-25-2017

Dear ddrillic: search for something like "nothere" which is unlikely to be in any of your search titles or the actual search. Does that match your searches, reports and alerts? I suggest this because API matched a lot of my searches too and not just the titles.

burwell · ‎11-20-2017

Hi. If you have the string API in the subject or in the body of the search, it will match.

ddrillic · ‎11-20-2017

You see, the problem I have is that everything comes back, including items that don't match...

burwell · ‎11-21-2017

Hi. What version of Splunk?

burwell · ‎11-21-2017

So a good test.. search for something like nothere which is unlikely to be in any of your search titles or the actual search. Does that match your searches, reports and alerts? I suggest this because API matched a lot of my searches too and not just the titles.

kamlesh_vaghela · ‎11-20-2017

HI @ddrillic,

Do you have any searches, reports or alerts in "AppName" app?

Can you please uncheck "show only objects created in this app context" checkbox? You might be found your desired savedsearches.

Thanks

ddrillic · ‎11-20-2017

No luck with that @kamlesh_vaghela.

I also tried searching for API* but everything comes back.

MuS · ‎11-20-2017

What does the messages tell you, you have 4 of them?

If you query the REST api directly can you get something back:

 | rest /servicesNS/-/-/saved/searches splunk_server=local | search title="api*"

Why can't we search within Searches, reports and alerts?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases