Solved: Re: How to create a scheduled search to find if an...

jamesy281 · ‎12-22-2014

Hi There,

I want to create a scheduled search to find if any alerts have been set to disabled. I have looked at the _internal index but can't see any way of detecting the status of the alert. can this be done from within a search?

Thanks,
James.

jamesy281 · ‎12-22-2014

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

View solution in original post

jamesy281 · ‎12-22-2014

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

acharlieh · ‎12-22-2014

Comment because I don't know the exact endpoint and where filter offhand but this is something that can be found in Splunk's REST api. Therefore you can use the | rest search command to get to it.

Your search will take a form like: | rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=1

(But as I mentioned this is off the top of my head, you'll want to play with the REST API reference and make sure toes are correct)

How to create a scheduled search to find if any alerts have been set to disabled?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?