Alerting

How to move alerts from different remote environments to one local environment?

hunterpj
Path Finder

I have been trying to see if there is a way one can look into the files of a remote Splunk Instance, so I may copy the alerts from savedsearches.conf. I can easily copy the source XML for the dashboards i wish to copy, but is there any kind of source code for alerts? I know I could open and copy the search, but that's not what I want.

0 Karma
1 Solution

adonio
Ultra Champion

an alert is a saved search with an action of some sort (although you can have actions on saved searches that are not alerts).
as such, they are set in savedsaerches.conf you can find them via | rest command
try this:

   | rest/servicesNS/-/-/saved/searches
   | search alert.track=1 NOT eai:acl.app = splunk_monitoring_console
   | table title eai:acl.app description search disabled triggered_alert_count actions action.script.filename alert.severity 
      cron_schedule

create a new savedsearces.conf file in a new app, copy all savedsearches.conf to the new file and deploy to your search head

hope it helps

View solution in original post

adonio
Ultra Champion

an alert is a saved search with an action of some sort (although you can have actions on saved searches that are not alerts).
as such, they are set in savedsaerches.conf you can find them via | rest command
try this:

   | rest/servicesNS/-/-/saved/searches
   | search alert.track=1 NOT eai:acl.app = splunk_monitoring_console
   | table title eai:acl.app description search disabled triggered_alert_count actions action.script.filename alert.severity 
      cron_schedule

create a new savedsearces.conf file in a new app, copy all savedsearches.conf to the new file and deploy to your search head

hope it helps

hunterpj
Path Finder

This does help and is useful, but what I want is how each alert is displayed in savedsearches.conf. When i look at my savedsearches.conf on my local instance, it is structured differently. I will look into it on my own as well, but if you know how to show the raw configuration file that would help immensely.

0 Karma

hunterpj
Path Finder

I also found a app, called Config Quest, that does the same thing as above, but puts in in the format of a config file. The only thing is, it gives you every single parameter in the savedsearches.conf file and its value, so it isn't good for copy-pasting.

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

jkat54
SplunkTrust
SplunkTrust
| rest /servicesNS/admin/myapp/configs/conf-savedsearches
0 Karma

adonio
Ultra Champion

i think that in savedsearches.conf all enabled alerts has alert.track = 1 under their relevant stanzas

0 Karma

jkat54
SplunkTrust
SplunkTrust

I really like this answer Ari! I’d like to shamelessly add that if you wanted to automate a process like this, it could probably be done using the curl command in the ta-webtools app. I would only try that if I had more than x amount to migrate though.

Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...