Re: How to search all the alert configured in splu...

prabha321 · ‎12-12-2019

How to search all the alert, Dashboard, & Report searches configured in splunk ???

woodcock · ‎12-12-2019

Like this:

|rest/servicesNS/-/<YourAppNameHere>/saved/searches splunk_server=local
| search eai:acl.app="<YourAppNameHere>" AND request.ui_dispatch_app="<YourAppNameHere>" AND is_scheduled="1"
| dedup id
| table eai:acl.app eai:acl.owner eai:acl.sharing disabled title description cron_schedule allow_skew dispatch.earliest_time dispatch.latest_time alert_severity search
| rename dispatch.* AS *
| rename eai:acl.* AS *
| table owner sharing title search description*

jcorcoran508 · ‎04-26-2021

Thank you for providing that information , worked wonderfully for what I was looking for and more!

prabha321 · ‎12-30-2019

Thanks a lot , can I check whether I am a user or power user.

woodcock · ‎12-14-2019

But you need admin-level privileges to run |rest.

gcusello · ‎12-12-2019

Hi @prabha321,
see at [Settings - Searches, Reports and Alerts], you have all the schedules searches (alerts and scheduled reports), remember to use the correct filters (e.g. Apps=all).

If you want to create a your own dashboard, you can use a search like the following

| rest /services/saved/searches | where is_scheduled=1

To get a history of scheduled search , check the internal logs

index=_internal sourcetype=scheduler  | table _time user savedsearch_name status scheduled_time run_time result_count

Ciao.
Giuseppe

prabha321 · ‎12-12-2019

Thanks for your quick response Giuseppe ,

After searching with the query "| rest /services/saved/searches | where is_scheduled=1" it has pulled the alert configuration for SPLUNK but i want to search all the Queries done for servers,Network,Database ... etc of Infrastructure monitoring done on my environment.

gcusello · ‎12-12-2019

Hi @prabha321,
alerts and scheduled searches are usually executed only on Search Heads, so you have to run the above search on your Search Heads.

When you speak of "Queries done for servers,Network,Database" are you speaking of searches on Splunk on logs of servers, network and databases, or other?

Ciao.
Giuseppe

prabha321 · ‎12-12-2019

I want to get the Alert Configuration Queries of servers,Network,Database ... etc of infrastructure monitoring.

gcusello · ‎12-12-2019

Hi @prabha321,
if you're speaking of Infrastructure Monitoring App, see at [Settings - Searches, Reports and Alerts] starting from that app (the left side of Settings menu is contextual to the App): all the alerts and scheduled searches of that app are listed there.

Ciao.
Giuseppe

gcusello · ‎12-12-2019

Hi @prabha321,
if you run the above search you have all the available fields, so you can choose the ones you like e.g. search and title:

 | rest /services/saved/searches 
 | where is_scheduled=1
 | table title search

Ciao.
Giuseppe

prabha321 · ‎12-13-2019

Thanks I am getting error ,I think it's restricted. Thanks again.

gcusello · ‎12-14-2019

I'm sorry!
you should check the grants of your user.
To close the question, please accept and/or upvote it.
Ciao and next time.
Giuseppe

prabha321 · ‎12-12-2019

Yes that's the way I am taking the queries of each alerts.

Is there any queries to search all the alert configuration queries ???

How to search all the alert configured in splunk ???

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes