is it possible to disable all the alert running in splunk with the SINGLE click?
we have thousands of alerts. how to disable all alert using single click
When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf
files to savedsearches.conf.disabled
and then restarted Splunk. Here's the script I used:
#!/bin/bash
cd /opt/splunk/etc/
# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
mv "${f}" "${f}.disabled"
done
If your Splunk instance isn't in /opt/splunk
, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:
#!/bin/bash
cd /opt/splunk/etc/
# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
mv "${f}" "${f%.disabled}"
done
Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf
locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.
Perhaps Splunk need to provide a proper solution for this
Absolutely
I too would like know how something like this could be solved. My company has installs from 2am-6am on Sunday mornings and we want to disable all alerts, or a subsection of them, during this time frame and it's surprising that Splunk doesn't have something to deal with a situation like that through the GUI.
When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf
files to savedsearches.conf.disabled
and then restarted Splunk. Here's the script I used:
#!/bin/bash
cd /opt/splunk/etc/
# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
mv "${f}" "${f}.disabled"
done
If your Splunk instance isn't in /opt/splunk
, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:
#!/bin/bash
cd /opt/splunk/etc/
# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
mv "${f}" "${f%.disabled}"
done
Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf
locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.
thanks for answering!!
Yes, if they are all in the same app, then they will all be in the same savedsearches.conf
file under that app so you can edit that file from the CLI and use this command in vi:
:1,$s/disabled=0/disabled=1/
If savedsearches.conf already have a mix of disabled and enabled alerts this should not be used as it will enable all alerts when we do
:1,$s/disabled=1/disabled=0/
for reenabling.
Thanks for answering!!
You could do it directly from the savedsearches.conf file. However it will still not be a single click but you'll have to set the "enableSched" property to the value "0" in all of your search Stanzas, but at least you'd be able to achieve that by editing the single file.
Setting the "enableSched" to 0 would mean that you are disabling the scheduling of these alerts.
Hope this helps !!
Cheers.
thanks for answering!!
What is it that you want to achieve?
If you get swamped with emails or something and want to (temporarily) stop that to troubleshoot something, you could try disable the Alert Action.
I'm not aware of a way to disable all alerts in 1 click. Perhaps the CLI offers some options.
Thanks for answering!!
This is not help me
we have more than 1000 alert running i want to disable all the alert once instead of doing one by one as it take more time.