Alerting

How to submit a search and setup associated alert via Splunk REST API?

a212830
Champion

Hi,

Is there any way to submit a search and setup an associated alert with it, via Splunk's REST API?

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Sure, all it takes is a post to saved/searches with the appropriate settings for the alert. That creates the search and the alert, they're contained in the same object.

http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTsearch#POST_saved.2Fsearches

Remember, as a basic rule anything possible through the regular Web UI can be done through the REST API because it's just another client of that very API.

View solution in original post

nilendra19888
Explorer

@martin_mueller How to create an alert in Splunk using REST API using json payload in prod. ( I extracted JSON payload using REST from another splunk environment i.ie pre prod)

0 Karma

sarit_s
Communicator

@martin_mueller is there a way to run an alert with the rest api ?
i can't find an example for that.
i can see that it is possible to see fired alerts or list of alert actions but how can i set an alert with the api ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure, all it takes is a post to saved/searches with the appropriate settings for the alert. That creates the search and the alert, they're contained in the same object.

http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTsearch#POST_saved.2Fsearches

Remember, as a basic rule anything possible through the regular Web UI can be done through the REST API because it's just another client of that very API.

martin_mueller
SplunkTrust
SplunkTrust

Anything you can do through the Web UI can be done through the REST API. Look at the action.script.* keys, set those and Splunk will run a script as an alert action.

0 Karma

a212830
Champion

Thanks. It appears that the only way to trigger a notification is via email? I don't see any way to run a script, which is how we integrate with our ticketing system.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...