Alerting

How to create a scheduled search to find if any alerts have been set to disabled?

jamesy281
Path Finder

Hi There,

I want to create a scheduled search to find if any alerts have been set to disabled. I have looked at the _internal index but can't see any way of detecting the status of the alert. can this be done from within a search?

Thanks,
James.

1 Solution

jamesy281
Path Finder

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

View solution in original post

jamesy281
Path Finder

acharlieh,

Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:

| rest /services/saved/searches| search "action.email"=1 "disabled"=1

acharlieh
Influencer

Comment because I don't know the exact endpoint and where filter offhand but this is something that can be found in Splunk's REST api. Therefore you can use the | rest search command to get to it.

Your search will take a form like: | rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=1

(But as I mentioned this is off the top of my head, you'll want to play with the REST API reference and make sure toes are correct)

Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...