My question is about this solution: https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/...
I do not have Admin rights.
When I run this query I get the following warning:
"Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability".
In the result I get only a partial listing.
Anything I can do besides engaging admins to run the query for me?
We use Splunk Enterprise Version: 8.2.1
When I have used the first query (all Apps) I got the desired result.
Not sure why since all alerts belong to the same app and my URL included it.
Hi @pm771,
As @richgalloway said, the message isn't relevant and depends on which SH configuration you have.
In addition, can you access the Monitoring Console or the [Settings -- Searches, Reports and alerts] menu item?
Here you can see all the scheduled searches you have.
If not, I'm sorry, there isn't any other choice for you than contact administrators!
Ciao.
Giuseppe
Hello @gcusello ,
Yes, I can get to Alerts listing.
I was not able to apply a compound filter there. Something with AND / OR expressions with various fields.
Is it even possible?
Thank you.
The filter boxes in Splunk admin pages are very unintelligent. They just look for the words you've entered. Expressions are not supported.
Hello @gcusello ,
I was referring to in-built filtering into "Alerts" interface.
Hi @pm771,
the filter in Alerts page is only to find an alert.
If you want to put some boolean condition, you can do it in the search.
Anyway, if one of the answers solves your need, please accept it for the other people of Community, otherwise tell us how we can help you about your request.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
That warning doesn't matter. Alerts are only defined on search heads so there's no need to send the REST query to any indexers.
HOWEVER, if you have independent SHs then you will need to run the query on each one.