Alerting

How to move alerts from different remote environments to one local environment?

hunterpj
Path Finder

I have been trying to see if there is a way one can look into the files of a remote Splunk Instance, so I may copy the alerts from savedsearches.conf. I can easily copy the source XML for the dashboards i wish to copy, but is there any kind of source code for alerts? I know I could open and copy the search, but that's not what I want.

0 Karma
1 Solution

adonio
Ultra Champion

an alert is a saved search with an action of some sort (although you can have actions on saved searches that are not alerts).
as such, they are set in savedsaerches.conf you can find them via | rest command
try this:

   | rest/servicesNS/-/-/saved/searches
   | search alert.track=1 NOT eai:acl.app = splunk_monitoring_console
   | table title eai:acl.app description search disabled triggered_alert_count actions action.script.filename alert.severity 
      cron_schedule

create a new savedsearces.conf file in a new app, copy all savedsearches.conf to the new file and deploy to your search head

hope it helps

View solution in original post

adonio
Ultra Champion

an alert is a saved search with an action of some sort (although you can have actions on saved searches that are not alerts).
as such, they are set in savedsaerches.conf you can find them via | rest command
try this:

   | rest/servicesNS/-/-/saved/searches
   | search alert.track=1 NOT eai:acl.app = splunk_monitoring_console
   | table title eai:acl.app description search disabled triggered_alert_count actions action.script.filename alert.severity 
      cron_schedule

create a new savedsearces.conf file in a new app, copy all savedsearches.conf to the new file and deploy to your search head

hope it helps

hunterpj
Path Finder

This does help and is useful, but what I want is how each alert is displayed in savedsearches.conf. When i look at my savedsearches.conf on my local instance, it is structured differently. I will look into it on my own as well, but if you know how to show the raw configuration file that would help immensely.

0 Karma

hunterpj
Path Finder

I also found a app, called Config Quest, that does the same thing as above, but puts in in the format of a config file. The only thing is, it gives you every single parameter in the savedsearches.conf file and its value, so it isn't good for copy-pasting.

0 Karma

jkat54
SplunkTrust
SplunkTrust
0 Karma

jkat54
SplunkTrust
SplunkTrust
| rest /servicesNS/admin/myapp/configs/conf-savedsearches
0 Karma

adonio
Ultra Champion

i think that in savedsearches.conf all enabled alerts has alert.track = 1 under their relevant stanzas

0 Karma

jkat54
SplunkTrust
SplunkTrust

I really like this answer Ari! I’d like to shamelessly add that if you wanted to automate a process like this, it could probably be done using the curl command in the ta-webtools app. I would only try that if I had more than x amount to migrate though.

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...