Alerting

How to search all the alert configured in splunk ???

Engager

How to search all the alert, Dashboard, & Report searches configured in splunk ???

0 Karma

Esteemed Legend

Like this:

|rest/servicesNS/-/<YourAppNameHere>/saved/searches splunk_server=local
| search eai:acl.app="<YourAppNameHere>" AND request.ui_dispatch_app="<YourAppNameHere>" AND is_scheduled="1"
| dedup id
| table eai:acl.app eai:acl.owner eai:acl.sharing disabled title description cron_schedule allow_skew dispatch.earliest_time dispatch.latest_time alert_severity search
| rename dispatch.* AS *
| rename eai:acl.* AS *
| table owner sharing title search description*
0 Karma

Engager

Thanks a lot , can I check whether I am a user or power user.

0 Karma

Esteemed Legend

But you need admin-level privileges to run |rest.

0 Karma

SplunkTrust
SplunkTrust

Hi @prabha321,
see at [Settings - Searches, Reports and Alerts], you have all the schedules searches (alerts and scheduled reports), remember to use the correct filters (e.g. Apps=all).

If you want to create a your own dashboard, you can use a search like the following

| rest /services/saved/searches | where is_scheduled=1

To get a history of scheduled search , check the internal logs

index=_internal sourcetype=scheduler  | table _time user savedsearch_name status scheduled_time run_time result_count

Ciao.
Giuseppe

0 Karma

Engager

Thanks for your quick response Giuseppe ,

After searching with the query "| rest /services/saved/searches | where is_scheduled=1" it has pulled the alert configuration for SPLUNK but i want to search all the Queries done for servers,Network,Database ... etc of Infrastructure monitoring done on my environment.

0 Karma

SplunkTrust
SplunkTrust

Hi @prabha321,
alerts and scheduled searches are usually executed only on Search Heads, so you have to run the above search on your Search Heads.

When you speak of "Queries done for servers,Network,Database" are you speaking of searches on Splunk on logs of servers, network and databases, or other?

Ciao.
Giuseppe

0 Karma

Engager

I want to get the Alert Configuration Queries of servers,Network,Database ... etc of infrastructure monitoring.

0 Karma

SplunkTrust
SplunkTrust

Hi @prabha321,
if you're speaking of Infrastructure Monitoring App, see at [Settings - Searches, Reports and Alerts] starting from that app (the left side of Settings menu is contextual to the App): all the alerts and scheduled searches of that app are listed there.

Ciao.
Giuseppe

0 Karma

SplunkTrust
SplunkTrust

Hi @prabha321,
if you run the above search you have all the available fields, so you can choose the ones you like e.g. search and title:

 | rest /services/saved/searches 
 | where is_scheduled=1
 | table title search

Ciao.
Giuseppe

0 Karma

Engager

Thanks I am getting error ,I think it's restricted. Thanks again.

0 Karma

SplunkTrust
SplunkTrust

I'm sorry!
you should check the grants of your user.
To close the question, please accept and/or upvote it.
Ciao and next time.
Giuseppe

0 Karma

Engager

Yes that's the way I am taking the queries of each alerts.

Is there any queries to search all the alert configuration queries ???

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!