Alerting

How to pull a report of all enabled alerts with the recipient list of To and CC?

iqbalintouch
Path Finder

Hi,

I am a part of application support team and using Splunk as our primary tool for monitoring purpose..

Can anyone please help me to pull a report in Splunk to get the details of all the alerts which are enabled with "To" and "CC" recipient list. I just need the alert details not the saved searches and reports, checked this link but it is not helpful.

Here are the details of Splunk version which I am using:

Splunk Version: 6.3.2
Splunk Build: aaff59bb082c
Current App: Search & Reporting // (we have other apps as well)
App Version: 6.3.2

some screenshot would be most helpful.

Tags (3)
1 Solution

maniishpawar
Path Finder

Here try this search

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time  AS "frequency", alert.severity AS  "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

View solution in original post

alejandrinod
New Member

try this one. it will include the recipients of the alert.

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename action.email.to alert.severity cron_schedule

0 Karma

JRAnderson
Explorer

I am looking for the same thing, but I have found that your search doesn't find any alerts created/running in ES. How can I get ES alerts that are running?

0 Karma

dijikul
Communicator

Do ES Alerts have their own Alert Action? We're not an ES Customer, so I can't check, but if you take a look at the results of this query, specifically the "Actions" field, I think you'll find what you need:

| REST /servicesNS/-/-/saved/searches 
| search disabled=0 AND (actions=** OR actions=** OR ... )
| table title description cron_schedule actions action.email.to action.email.cc *

Once you identify the correct Action for ES alerts, you can add that modify the actions=** filters in the second line, adding the action type between the asterisk to filter for specific action types.

JRAnderson
Explorer

Thanks that provides all of the saved searches including ES.

0 Karma

maniishpawar
Path Finder

Here try this search

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time  AS "frequency", alert.severity AS  "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

altink
Builder

thank you for this.

I tried, did return alerts, but not all.
Some alerts (of a whole app) are missing - and I cannot find why.

best regards

Altin

Tags (2)
0 Karma

iqbalintouch
Path Finder

Hi @maniishpawar,

thank you for your response. The query is not giving me the desired output. Actually in our Splunk tool, we have many apps (not able to provide screenshot). So basically I want to pull a report for all the alerts which are enabled under apps xyz and the recipient list of those alerts with below fields:

Title frequency Severity Email

0 Karma

iqbalintouch
Path Finder

I have used below query to pull all the active/enable alerts which are being sent to our DL, but didn't get the result:

| rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") | search title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email

0 Karma

MuS
Legend

because this | rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") will not work. Also use a different rest endpoint to get all saved searches. The search should be more like :

| rest /servicesNS/-/-/saved/searches | search action.email.to="page.XYZ@xyz.com" OR action.email.to="ABC@xyz.com" title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email
0 Karma

iqbalintouch
Path Finder

Hi @MuS,

no help 😞 nothing is coming up..please help me if you can show me the results in a screenshot, would be very thankful to you.

0 Karma

MuS
Legend

Okay just run this

| rest /servicesNS/-/-/saved/searches

And work your way from there to get the result you want.

iqbalintouch
Path Finder

Thanks a lot @MuS, I got the details. Appreciated 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...