Solved: Re: How to create a scheduled search to find if an...

jamesy281 · ‎12-22-2014

Hi There,

I want to create a scheduled search to find if any alerts have been set to disabled. I have looked at the _internal index but can't see any way of detecting the status of the alert. can this be done from within a search?

Thanks,
James.

jamesy281 · ‎12-22-2014

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

View solution in original post

jamesy281 · ‎12-22-2014

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

acharlieh · ‎12-22-2014

Comment because I don't know the exact endpoint and where filter offhand but this is something that can be found in Splunk's REST api. Therefore you can use the | rest search command to get to it.

Your search will take a form like: | rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=1

(But as I mentioned this is off the top of my head, you'll want to play with the REST API reference and make sure toes are correct)

How to create a scheduled search to find if any alerts have been set to disabled?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?