https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156224#M2555 <P>Is it a namespace issue?</P> <P>Try here<BR /> <A href="https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html">https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html</A></P> <PRE><CODE>You need to use namespace wildcards to get all the searches (run as admin), I've added a filter to only load searches that have the email action enabled: | rest /servicesNS/-/-/saved/searches search="action.email=1" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule action.email* </CODE></PRE> <P>I also found these pages helpful</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch">http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples">http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples</A></P> Thu, 26 Mar 2015 08:20:37 GMT jackscratch 2015-03-26T08:20:37Z https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156221#M2552 <P>I am using the REST API to create a bot to search for triggered alerts every 30 seconds or so. I created saved searches as alerts on my personal splunk account from my company and everything worked fine. </P> <PRE><CODE>curl -k -u [username]:[password] https://[host]/servicesNS/[username]/[app]/alerts/fired_alerts -d "output_mode=json" --get </CODE></PRE> <P>I recently got a new splunk account specifically for the bot to use so I went and recreated the alerts I had previously created on the new account but when I run the API calls I am not getting any triggered alerts returned. I can see my test alerts in the alert manager and the alerts I created on the new account are exactly the same as the ones I had on my personal account. </P> <P>I have tried deleting the saved searches on my personal account as well as recreating the searches on the bot account but I am unable to see the triggered alerts when I check for them using the API.</P> <P>Any help would greatly appreciated.</P> <P>edit: If I search for triggered alerts from all apps I am able to see other alerts that were created by other people but not the ones I created.</P> <P>I can see the alerts that were triggered <A href="http://i.imgur.com/NcoDyy7.png">http://i.imgur.com/NcoDyy7.png</A> but when I run the command I only get <A href="http://pastebin.com/6N9r82k1">http://pastebin.com/6N9r82k1</A></P> Thu, 24 Jul 2014 15:35:04 GMT https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156221#M2552 skuller 2014-07-24T15:35:04Z https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156222#M2553 <P>Hmmm this worked for me: </P> <P>curl --get -ku admin:xxxxx <A href="https://localhost:9621/servicesNS/admin/sales/alerts/fired_alerts">https://localhost:9621/servicesNS/admin/sales/alerts/fired_alerts</A> -d "output_mode=json" </P> <P>Try --get upfront.</P> Thu, 24 Jul 2014 15:51:48 GMT https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156222#M2553 rroberts 2014-07-24T15:51:48Z https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156223#M2554 <P>I get the same results when I run both commands<BR /> <A href="http://pastebin.com/6N9r82k1">http://pastebin.com/6N9r82k1</A></P> <P>It says no alerts have been fired but when I go to the alert manager I see <A href="http://i.imgur.com/NcoDyy7.png">http://i.imgur.com/NcoDyy7.png</A></P> Thu, 24 Jul 2014 16:00:10 GMT https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156223#M2554 skuller 2014-07-24T16:00:10Z https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156224#M2555 <P>Is it a namespace issue?</P> <P>Try here<BR /> <A href="https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html">https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html</A></P> <PRE><CODE>You need to use namespace wildcards to get all the searches (run as admin), I've added a filter to only load searches that have the email action enabled: | rest /servicesNS/-/-/saved/searches search="action.email=1" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule action.email* </CODE></PRE> <P>I also found these pages helpful</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch">http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples">http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples</A></P> Thu, 26 Mar 2015 08:20:37 GMT https://community.splunk.com/t5/Alerting/Rest-API-not-returning-alerts/m-p/156224#M2555 jackscratch 2015-03-26T08:20:37Z