topic Re: REST API usage to get list of all the alerts in Splunk Enterprise Security

REST API usage to get list of all the alerts

vijaya5 — Wed, 30 Sep 2020 05:35:06 GMT

Hi Everyone,

I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API.

Please help me.

I used below queries, but did not give proper results.

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

| rest /services/alerts/fired_alerts/

|rest /servicesNS/admin/-/alerts/alert_actions

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Re: REST API usage to get list of all the alerts

gjanders — Wed, 30 Sep 2020 05:37:34 GMT

|rest/servicesNS/-/-/saved/searches splunk_server=local | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

The search might need to some tweaking to narrow down but the splunk_server=local might help if you have a distributed environment

If you update your search to look for a condition then that would confirm it was an alert rather than a report...the next challenge would be to attempt to ignore alerts from apps (in general if the username is no admin/splunk-system-user it should have not come from an app)

Re: REST API usage to get list of all the alerts

jnew_splunk — Sun, 15 Aug 2021 20:10:54 GMT

I've had pretty good success with the following search. It returns all alerts that are not part of a default Splunk app and where the alerts are not disabled.

| rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 | eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user), app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) | rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" | rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" | eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') | rex field=description mode=sed "s/^\\s+//g" | eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) | fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action | eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch") | where is_alert==1 | eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0) | where splunk_default_app=0 | fields - splunk_server, splunk_default_app