topic Re: delete multiple alerts from splunk cloud in Splunk Cloud Platform

delete multiple alerts from splunk cloud

sarit_s6 — Tue, 09 Jul 2024 11:10:37 GMT

Hello

I'm using Splunk cloud and i want to delete multiple alerts from list.

i was trying to do it with curl but got errors that i cannot figure out.

is there any other way ?

Re: delete multiple alerts from splunk cloud

richgalloway — Tue, 09 Jul 2024 13:23:47 GMT

It would help to know what curl command you tried and what error it returned.

AIUI, alerts must be deleted individually. There is no method in the UI for selecting multiple alerts for deletion.

Re: delete multiple alerts from splunk cloud

sarit_s — Wed, 10 Jul 2024 06:19:39 GMT

ok so i was able to figure it out
but now i have new issue that i don't know even where to start

i have a list of alerts that i want to move from one splunk app to another

is there a way to do it with script ? because doing it one by one will take me forever.

i have a file with - alert name, alert id, current app name, new app name

Re: delete multiple alerts from splunk cloud

richgalloway — Thu, 11 Jul 2024 12:02:05 GMT

If the apps are defined in a custom app (a Best Practice) then edit savedsearches.conf to put the alerts in another app. Then upload and install both apps.

Otherwise, you can use the REST API to do the job. See https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D

First, I'd try modifying the eai:acl.app setting, but I'm not sure that's supported. If it works, you're golden and just need to loop through a list of searches to move.

If that doesn't work then you're stuck with copy-and-delete. Read the specs for each search, create a copy of it in the destination app, then delete the original.