https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687868#M10045 <P>You could try to do it using REST API but I'd say it's not a best idea. If you enable too many searches, you're gonna kill your servers. So it's best to enable those you need, not just all there are.</P> Fri, 17 May 2024 13:01:13 GMT PickleRick 2024-05-17T13:01:13Z https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687863#M10041 <P>Hi,</P><P>&nbsp;</P><P>Is there a way of bulk enabling alerts in Splunk enterprise?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Joe</P> Fri, 17 May 2024 12:26:32 GMT https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687863#M10041 joe06031990 2024-05-17T12:26:32Z https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687868#M10045 <P>You could try to do it using REST API but I'd say it's not a best idea. If you enable too many searches, you're gonna kill your servers. So it's best to enable those you need, not just all there are.</P> Fri, 17 May 2024 13:01:13 GMT https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687868#M10045 PickleRick 2024-05-17T13:01:13Z https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687879#M10048 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49272">@joe06031990</a>&nbsp;,</P><P>it's a request from many of us,</P><P>go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!</P><P>Ciao.</P><P>Giuseppe</P> Fri, 17 May 2024 13:25:00 GMT https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687879#M10048 gcusello 2024-05-17T13:25:00Z https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687886#M10051 <P>A while ago, I had to enable a number of alerts (saved searches) for an app<BR /><BR />I created a simple bash file (Assuming your Linux based) which used the API, and this ran through them. Take note of what&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp; said&nbsp; you could end up with a performance issue if you enable too&nbsp; many.&nbsp;<BR /><BR />This worked for me.&nbsp;</P><P>You need to create a Splunk token, and get a list your target alerts (saved searches) in your App , then add them to the bash script, a bit of home work, yes, but it got the job done in the end for me.&nbsp;<BR /><BR />Here is an example bash script&nbsp;<BR /><BR /></P><LI-CODE lang="markup">#!/bin/bash # Define your variables TOKEN="MY SPLUNK TOKEN" SERVER="https://MY_SPLUNK_SERVER_SH:8089" APP="MY_APP" # Define alerts ALERTS=("my_alert1" "my_alert2") # Loop through each alert and enable it for ALERT in "${ALERTS[@]}"; do echo "Enabling alert: $ALERT" curl -X POST -k -H "Authorization: Bearer $TOKEN" "$SERVER/servicesNS/nobody/$APP/saved/searches/$ALERT" -d disabled=0 if [ $? -eq 0 ]; then echo "Alert $ALERT enabled successfully." sleep 10 else echo "Failed to enable alert $ALERT." fi done</LI-CODE><P><BR />You can use the below to find your alert searches names&nbsp;<BR /><BR /></P><LI-CODE lang="markup">| rest splunk_server=local /services/saved/searches | fields splunk_server, author, title, disabled, eai:acl.app, eai:acl.owner, eai:acl.sharing, id, search | rename title AS saved_search_name eai:acl.app AS app eai:acl.owner AS owner eai:acl.sharing AS sharing search AS spl_code | eval is_enabled = case(disabled &gt;=1, "disabled",1=1, "enabled") ```| search app=YOUR APP NAME ``` | table splunk_server, author, saved_search_name, disabled, is_enabled, app, owner, sharing, spl_code</LI-CODE><P><BR />&nbsp;</P><P><BR /><BR /><BR /></P><P>&nbsp;</P> Fri, 17 May 2024 14:23:01 GMT https://community.splunk.com/t5/Knowledge-Management/Bulk-enabling-alerts/m-p/687886#M10051 deepakc 2024-05-17T14:23:01Z