Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a way to disable email alerts for multiple Splunk alerts during a maintenance window?

xewaso626
Engager
‎02-08-2022 04:15 AM

We use Splunk Enterprise and would like to know if there a way if we can disable email alerts for multiple Splunk alerts. I dont want to manually disable each alert  during that window.

Is there a curl command that I can run so that multiple alerts are disabled?

Can I feed all the alerts in a .csv and a command which will pull the alert names and disable them all at once?

@titleistfour ? 

Referring to your thread: https://community.splunk.com/t5/Alerting/Is-there-an-easy-way-to-use-the-REST-API-to-disable-Splunk/...

 

https://stackoverflow.com/questions/51799979/splunk-disabling-alerts-during-maintenance-window 

Labels (3)
Labels
Reply

titleistfour
Explorer
‎02-08-2022 06:31 AM

We still disable alerts one at a time.  But we use Ansible and a loop to accomplish it for multiple alerts.  Works just fine.  Although, for our use case it's usually only a few alerts that we need to disable for each playbook.

/t

Reply

xewaso626
Engager
‎02-08-2022 10:01 AM

@titleistfour : Thank you for your answer. Can you share some thread on how we can do it using Ansible? Just to get a heads-up.

 

PS: I am still discovering about Ansible 

Reply

titleistfour
Explorer
‎02-08-2022 11:17 AM

It's just a simple REST call with the URI module, basically the same thing curl is doing

 

- name: Update Splunk service
  uri:
     url: "{{ splunk_scheme }}://{{ splunk_server }}:{{ splunk_port }}//servicesNS/nobody/search/saved/searches/{{ item }}"
     method: POST
     force_basic_auth: yes
     user: "{{ splunk_username }}"
     password: "{{ splunk_password }}"
     body: "disabled={{ action }}"
  delegate_to: localhost
  loop: "{{ splunk_alerts }}"

 

Just send it a list of "splunk_alerts" and the action of "enable" or "disable".  That's it.

/t

Reply

dadol24553
Engager
‎02-11-2022 08:58 AM

@titleistfour that is good and simple way, but is there a way that we can include a .csv as input for the Queries to be disabled?  I am just curious to know can we create a .bash file that runs and just pulls the data from a .csv?

 

@xewaso626 : The best way is to just disable the entire email alerting if there are too many alerts. I know there are few policies which don't allow to do so, but wanted to let you know just incase.

0 Karma
Reply

titleistfour
Explorer
‎02-11-2022 10:03 AM

I have no idea if you can use a CVS that way.  Just use a bash script to loop line by line and call curl each line.

/t

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...