Solved: Re: How to pull a report of all enabled alerts wit...

iqbalintouch · ‎05-25-2017

Hi,

I am a part of application support team and using Splunk as our primary tool for monitoring purpose..

Can anyone please help me to pull a report in Splunk to get the details of all the alerts which are enabled with "To" and "CC" recipient list. I just need the alert details not the saved searches and reports, checked this link but it is not helpful.

Here are the details of Splunk version which I am using:

Splunk Version: 6.3.2
Splunk Build: aaff59bb082c
Current App: Search & Reporting // (we have other apps as well)
App Version: 6.3.2

some screenshot would be most helpful.

maniishpawar · ‎05-25-2017

Here try this search

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time  AS "frequency", alert.severity AS  "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

View solution in original post

alejandrinod · ‎01-21-2019

try this one. it will include the recipients of the alert.

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename action.email.to alert.severity cron_schedule

JRAnderson · ‎02-26-2020

I am looking for the same thing, but I have found that your search doesn't find any alerts created/running in ES. How can I get ES alerts that are running?

dijikul · ‎02-26-2020

Do ES Alerts have their own Alert Action? We're not an ES Customer, so I can't check, but if you take a look at the results of this query, specifically the "Actions" field, I think you'll find what you need:

| REST /servicesNS/-/-/saved/searches 
| search disabled=0 AND (actions=** OR actions=** OR ... )
| table title description cron_schedule actions action.email.to action.email.cc *

Once you identify the correct Action for ES alerts, you can add that modify the actions=** filters in the second line, adding the action type between the asterisk to filter for specific action types.

JRAnderson · ‎02-26-2020

Thanks that provides all of the saved searches including ES.

maniishpawar · ‎05-25-2017

Here try this search

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time  AS "frequency", alert.severity AS  "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

altink · ‎03-26-2021

thank you for this.

I tried, did return alerts, but not all.
Some alerts (of a whole app) are missing - and I cannot find why.

best regards

Altin

iqbalintouch · ‎05-25-2017

Hi @maniishpawar,

thank you for your response. The query is not giving me the desired output. Actually in our Splunk tool, we have many apps (not able to provide screenshot). So basically I want to pull a report for all the alerts which are enabled under apps xyz and the recipient list of those alerts with below fields:

Title frequency Severity Email

iqbalintouch · ‎05-25-2017

I have used below query to pull all the active/enable alerts which are being sent to our DL, but didn't get the result:

| rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") | search title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email

MuS · ‎05-25-2017

because this | rest /services/saved/searches action.email.to=("page.XYZ@xyz.com" OR "ABC@xyz.com") will not work. Also use a different rest endpoint to get all saved searches. The search should be more like :

| rest /servicesNS/-/-/saved/searches | search action.email.to="page.XYZ@xyz.com" OR action.email.to="ABC@xyz.com" title=*| rename title AS "Title", action.email.to AS "Email" , dispatch.earliest_time AS "frequency", alert.severity AS "SEV" | eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, frequency, Severity, Email

iqbalintouch · ‎05-25-2017

Hi @MuS,

no help 😞 nothing is coming up..please help me if you can show me the results in a screenshot, would be very thankful to you.

MuS · ‎05-25-2017

Okay just run this

| rest /servicesNS/-/-/saved/searches

And work your way from there to get the result you want.

iqbalintouch · ‎05-26-2017

Thanks a lot @MuS, I got the details. Appreciated 🙂

How to pull a report of all enabled alerts with the recipient list of To and CC?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?