topic Re: How to pull a report of all enabled alerts with the recipient list of To and CC? in Alerting

How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch — Thu, 25 May 2017 15:24:34 GMT

Hi,

I am a part of application support team and using Splunk as our primary tool for monitoring purpose..

Can anyone please help me to pull a report in Splunk to get the details of all the alerts which are enabled with "To" and "CC" recipient list. I just need the alert details not the saved searches and reports, checked this link but it is not helpful.

Here are the details of Splunk version which I am using:

Splunk Version: 6.3.2
Splunk Build: aaff59bb082c
Current App: Search & Reporting // (we have other apps as well)
App Version: 6.3.2

some screenshot would be most helpful.

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

maniishpawar — Thu, 25 May 2017 16:20:48 GMT

Here try this search

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time  AS "frequency", alert.severity AS  "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch — Fri, 26 May 2017 03:56:13 GMT

Hi @maniishpawar,

thank you for your response. The query is not giving me the desired output. Actually in our Splunk tool, we have many apps (not able to provide screenshot). So basically I want to pull a report for all the alerts which are enabled under apps xyz and the recipient list of those alerts with below fields:

Title frequency Severity Email

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch — Fri, 26 May 2017 04:08:25 GMT

I have used below query to pull all the active/enable alerts which are being sent to our DL, but didn't get the result:

| rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") | search title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

MuS — Fri, 26 May 2017 04:24:48 GMT

because this | rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") will not work. Also use a different rest endpoint to get all saved searches. The search should be more like :

| rest /servicesNS/-/-/saved/searches | search action.email.to="page.XYZ@xyz.com" OR action.email.to="ABC@xyz.com" title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch — Fri, 26 May 2017 05:08:54 GMT

Hi @MuS,

no help 😞 nothing is coming up..please help me if you can show me the results in a screenshot, would be very thankful to you.

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

MuS — Fri, 26 May 2017 05:47:29 GMT

Okay just run this

| rest /servicesNS/-/-/saved/searches

And work your way from there to get the result you want.

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch — Fri, 26 May 2017 10:19:42 GMT

Thanks a lot @MuS, I got the details. Appreciated 🙂

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

alejandrinod — Tue, 29 Sep 2020 22:53:48 GMT

try this one. it will include the recipients of the alert.

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename action.email.to alert.severity cron_schedule

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

JRAnderson — Wed, 26 Feb 2020 16:18:59 GMT

I am looking for the same thing, but I have found that your search doesn't find any alerts created/running in ES. How can I get ES alerts that are running?

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

dijikul — Wed, 26 Feb 2020 16:36:42 GMT

Do ES Alerts have their own Alert Action? We're not an ES Customer, so I can't check, but if you take a look at the results of this query, specifically the "Actions" field, I think you'll find what you need:

| REST /servicesNS/-/-/saved/searches 
| search disabled=0 AND (actions=** OR actions=** OR ... )
| table title description cron_schedule actions action.email.to action.email.cc *

Once you identify the correct Action for ES alerts, you can add that modify the actions=** filters in the second line, adding the action type between the asterisk to filter for specific action types.

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

JRAnderson — Wed, 26 Feb 2020 17:04:22 GMT

Thanks that provides all of the saved searches including ES.

Re: How to pull a report of all enabled alerts with the recipient list of To and CC?

altink — Fri, 26 Mar 2021 14:41:55 GMT

thank you for this.

I tried, did return alerts, but not all.
Some alerts (of a whole app) are missing - and I cannot find why.

best regards

Altin