Alerting

How can i query to get all alerts which are configured?

New Member

Hi,

i wanted to export all the alert's which i have configured under search, reports and alerts via a splunk query?

Regards,
Mani

Labels (2)
Tags (1)
0 Karma
1 Solution

Esteemed Legend

Like this:

ALL APPS:

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Search app only:

|rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

View solution in original post

Esteemed Legend

Be sure to click Accept on the best working answer to close the question.

Esteemed Legend

Like this:

ALL APPS:

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Search app only:

|rest/servicesNS/-/search/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

View solution in original post

Splunk Employee
Splunk Employee

This isn't necessarily accurate - if for some reason alert.track has not been set, this will not return all results. You can search for this yourself by using the GUI counts vs the results of the searches above.

The workaround would be to narrow down the search results in a different way - most configured alerts will have at least one action associate with it so I used something along the lines of |rest/servicesNS/-/search/saved/searches | search actions!=""|<fields go here>

Esteemed Legend

The question was to show all alerts, not all saved searches that have alert actions. My answer does the former, for sure.

0 Karma

Splunk Employee
Splunk Employee

It doesn't return all alerts however - alert.track is set to 1 by default but if someone changes it, or is set otherwise by an app, the query above does not return all alerts, alert action or not. This comment thread serves to inform users of the query above to be on the lookout for this scenario - it is not a guarantee that all configured alerts will be returned.

Esteemed Legend

Incorrect. Originally only alerts had alert actions but customers insisted and now reports also can have alert actions so literally there is no functional difference between the two. There is now only a taxonomical difference which you are free to slice any way that you like. Settings-wise, the difference between the two now is defined in savedsearches.conf as: alert.track=1 means alert and alert.track=0 means report. That is it.