Hi,
I am a part of application support team and using Splunk as our primary tool for monitoring purpose..
Can anyone please help me to pull a report in Splunk to get the details of all the alerts which are enabled with "To" and "CC" recipient list. I just need the alert details not the saved searches and reports, checked this link but it is not helpful.
Here are the details of Splunk version which I am using:
Splunk Version: 6.3.2
Splunk Build: aaff59bb082c
Current App: Search & Reporting // (we have other apps as well)
App Version: 6.3.2
some screenshot would be most helpful.
Here try this search
| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True
try this one. it will include the recipients of the alert.
|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename action.email.to alert.severity cron_schedule
I am looking for the same thing, but I have found that your search doesn't find any alerts created/running in ES. How can I get ES alerts that are running?
Do ES Alerts have their own Alert Action? We're not an ES Customer, so I can't check, but if you take a look at the results of this query, specifically the "Actions" field, I think you'll find what you need:
| REST /servicesNS/-/-/saved/searches
| search disabled=0 AND (actions=** OR actions=** OR ... )
| table title description cron_schedule actions action.email.to action.email.cc *
Once you identify the correct Action for ES alerts, you can add that modify the actions=** filters in the second line, adding the action type between the asterisk to filter for specific action types.
Thanks that provides all of the saved searches including ES.
Here try this search
| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True
Hi @maniishpawar,
thank you for your response. The query is not giving me the desired output. Actually in our Splunk tool, we have many apps (not able to provide screenshot). So basically I want to pull a report for all the alerts which are enabled under apps xyz and the recipient list of those alerts with below fields:
Title frequency Severity Email
I have used below query to pull all the active/enable alerts which are being sent to our DL, but didn't get the result:
| rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") | search title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email
because this | rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com")
will not work. Also use a different rest endpoint to get all saved searches. The search should be more like :
| rest /servicesNS/-/-/saved/searches | search action.email.to="page.XYZ@xyz.com" OR action.email.to="ABC@xyz.com" title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email
Hi @MuS,
no help 😞 nothing is coming up..please help me if you can show me the results in a screenshot, would be very thankful to you.
Okay just run this
| rest /servicesNS/-/-/saved/searches
And work your way from there to get the result you want.
Thanks a lot @MuS, I got the details. Appreciated 🙂