Alerting

Follow-up to "How can I query to get all alerts which are configured?" solution

pm771
Communicator

My question is about this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/... 

I do not have Admin rights.

When I run this query  I get the following warning:

"Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability".

In the result I get only a partial listing.

Anything I can do besides engaging admins to run the query for me?

We use Splunk Enterprise Version: 8.2.1

Labels (1)
Tags (2)

pm771
Communicator

When I have used the first query (all Apps) I got the desired result.

Not sure why since all alerts belong to the same app and my URL included it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

As @richgalloway said, the message isn't relevant and depends on which SH configuration you have.

In addition, can you access the Monitoring Console or the [Settings -- Searches, Reports and alerts] menu item?

Here you can see all the scheduled searches you have.

If not, I'm sorry, there isn't any other choice for you than contact administrators!

Ciao.

Giuseppe

pm771
Communicator

Hello @gcusello ,

Yes, I can get to Alerts listing.

I was not able to apply a compound filter there. Something with AND / OR expressions with various fields.

Is it even possible?

Thank you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The filter boxes in Splunk admin pages are very unintelligent.  They just look for the words you've entered.  Expressions are not supported.

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

why do you say this?

as you can see there's a filter applied in the @woodcock answer, so you can add your own filters, only one attention: you're using a REST command so you can use the available fields, not as free text.

Ciao.

Giuseppe

pm771
Communicator

Hello @gcusello ,

I was referring to in-built filtering into "Alerts" interface.

Splunk Alerts Screen.PNG

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

the filter in Alerts page is only to find an alert.

If you want to put some boolean condition, you can do it in the search.

Anyway, if one of the answers solves your need, please accept it for the other people of Community, otherwise tell us how we can help you about your request.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

richgalloway
SplunkTrust
SplunkTrust

That warning doesn't matter.  Alerts are only defined on search heads so there's no need to send the REST query to any indexers.

HOWEVER, if you have independent SHs then you will need to run the query on each one.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...