Alerting

Follow-up to "How can I query to get all alerts which are configured?" solution

pm771
Communicator

My question is about this solution:  https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/m-p/... 

I do not have Admin rights.

When I run this query  I get the following warning:

"Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability".

In the result I get only a partial listing.

Anything I can do besides engaging admins to run the query for me?

We use Splunk Enterprise Version: 8.2.1

Labels (1)
Tags (2)

pm771
Communicator

When I have used the first query (all Apps) I got the desired result.

Not sure why since all alerts belong to the same app and my URL included it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

As @richgalloway said, the message isn't relevant and depends on which SH configuration you have.

In addition, can you access the Monitoring Console or the [Settings -- Searches, Reports and alerts] menu item?

Here you can see all the scheduled searches you have.

If not, I'm sorry, there isn't any other choice for you than contact administrators!

Ciao.

Giuseppe

pm771
Communicator

Hello @gcusello ,

Yes, I can get to Alerts listing.

I was not able to apply a compound filter there. Something with AND / OR expressions with various fields.

Is it even possible?

Thank you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The filter boxes in Splunk admin pages are very unintelligent.  They just look for the words you've entered.  Expressions are not supported.

---
If this reply helps you, Karma would be appreciated.

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

why do you say this?

as you can see there's a filter applied in the @woodcock answer, so you can add your own filters, only one attention: you're using a REST command so you can use the available fields, not as free text.

Ciao.

Giuseppe

pm771
Communicator

Hello @gcusello ,

I was referring to in-built filtering into "Alerts" interface.

Splunk Alerts Screen.PNG

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pm771,

the filter in Alerts page is only to find an alert.

If you want to put some boolean condition, you can do it in the search.

Anyway, if one of the answers solves your need, please accept it for the other people of Community, otherwise tell us how we can help you about your request.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

richgalloway
SplunkTrust
SplunkTrust

That warning doesn't matter.  Alerts are only defined on search heads so there's no need to send the REST query to any indexers.

HOWEVER, if you have independent SHs then you will need to run the query on each one.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

App Building 101 - Build Your First App!

WATCH RECORDING NOW   Tech Talk: App Dev Edition Splunk has tons of out-of-the-box functionality, and you’ve ...

Introducing support for Amazon Data Firehose in Splunk Edge Processor

We’re excited to announce a powerful update to Splunk Data Management with added support for Amazon Data ...

The Observability Round-Up: September 2024

What’s up Splunk Community! Welcome to the latest edition of the Observability Round-Up, a monthly series in ...