Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to disable email alerts for multiple Splunk alerts during a maintenance window?

xewaso626
Engager
‎02-08-2022 04:15 AM

We use Splunk Enterprise and would like to know if there a way if we can disable email alerts for multiple Splunk alerts. I dont want to manually disable each alert  during that window.

Is there a curl command that I can run so that multiple alerts are disabled?

Can I feed all the alerts in a .csv and a command which will pull the alert names and disable them all at once?

@titleistfour ? 

Referring to your thread: https://community.splunk.com/t5/Alerting/Is-there-an-easy-way-to-use-the-REST-API-to-disable-Splunk/...

 

https://stackoverflow.com/questions/51799979/splunk-disabling-alerts-during-maintenance-window 

Labels (3)
Labels
Reply

titleistfour
Explorer
‎02-08-2022 06:31 AM

We still disable alerts one at a time.  But we use Ansible and a loop to accomplish it for multiple alerts.  Works just fine.  Although, for our use case it's usually only a few alerts that we need to disable for each playbook.

/t

Reply

xewaso626
Engager
‎02-08-2022 10:01 AM

@titleistfour : Thank you for your answer. Can you share some thread on how we can do it using Ansible? Just to get a heads-up.

 

PS: I am still discovering about Ansible 

Reply

titleistfour
Explorer
‎02-08-2022 11:17 AM

It's just a simple REST call with the URI module, basically the same thing curl is doing

 

- name: Update Splunk service
  uri:
     url: "{{ splunk_scheme }}://{{ splunk_server }}:{{ splunk_port }}//servicesNS/nobody/search/saved/searches/{{ item }}"
     method: POST
     force_basic_auth: yes
     user: "{{ splunk_username }}"
     password: "{{ splunk_password }}"
     body: "disabled={{ action }}"
  delegate_to: localhost
  loop: "{{ splunk_alerts }}"

 

Just send it a list of "splunk_alerts" and the action of "enable" or "disable".  That's it.

/t

Reply

dadol24553
Engager
‎02-11-2022 08:58 AM

@titleistfour that is good and simple way, but is there a way that we can include a .csv as input for the Queries to be disabled?  I am just curious to know can we create a .bash file that runs and just pulls the data from a .csv?

 

@xewaso626 : The best way is to just disable the entire email alerting if there are too many alerts. I know there are few policies which don't allow to do so, but wanted to let you know just incase.

0 Karma
Reply

titleistfour
Explorer
‎02-11-2022 10:03 AM

I have no idea if you can use a CVS that way.  Just use a bash script to loop line by line and call curl each line.

/t

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...