Hi There,
I want to create a scheduled search to find if any alerts have been set to disabled. I have looked at the _internal index but can't see any way of detecting the status of the alert. can this be done from within a search?
Thanks,
James.
acharlieh,
Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:
| rest /services/saved/searches| search "action.email"=1 "disabled"=1
acharlieh,
Thanks for the quick response and the info, it pointed me in the right direction, the actual search I used that worked was:
| rest /services/saved/searches| search "action.email"=1 "disabled"=1
Comment because I don't know the exact endpoint and where filter offhand but this is something that can be found in Splunk's REST api. Therefore you can use the | rest search command to get to it.
Your search will take a form like: | rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=1
(But as I mentioned this is off the top of my head, you'll want to play with the REST API reference and make sure toes are correct)