drop splunk savedsearches.conf · parse alerts + thresholds + recipients · runs locally
savedsearch · alert actions · conf export · local only
heuristic screener · vendor schema varies · not definitive proof