topic Re: Need query to see all alerts in Splunk Enterprise

How to create a search to see all alerts?

vishwa — Thu, 10 Aug 2023 21:37:03 GMT

We have many alerts setup in Splunk, so how can I get the list of alerts corn scheduled for 10mins

inventsekar — Thu, 10 Aug 2023 00:10:18 GMT

bowesmana — Thu, 10 Aug 2023 00:10:47 GMT

You can use the rest api to get the saved searches and look at the cron schedule

| rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=0 AND is_scheduled=1 | fields title cron_schedule next_scheduled_time

then you can do what you need to do with that data

vishwa — Thu, 10 Aug 2023 13:59:04 GMT

@bowesmana , thank you for the query

But I am getting all the alerts how can I add filter to see only 10 mins scheduled alerts

I tried using search or where command for cron scheduled field but it not coming.

bowesmana — Thu, 10 Aug 2023 23:34:02 GMT

Can you explain what you mean by to see only 10 mins scheduled alerts

Does that mean alerts that are scheduled to run in the next 10 minutes or alerts that are scheduled to run every 10 minutes or...?

vishwa — Fri, 11 Aug 2023 00:40:24 GMT

I want to see the list of alerts that are scheduled to run every 10 minutes

bowesmana — Fri, 11 Aug 2023 03:14:41 GMT

You need to look at the minute part of the cron schedule, for example you could do this at the end of the other search I gave to you

| eval ten_minute_schedule=if(match(cron_schedule, "^\*/10"), 1, 0) | where ten_minute_schedule=1