Alerting

Is there a way to return a list of all alerts from the API.

joe_butler99
Explorer

I know I can get the fired alerts from the API on the endpoint:

alerts/fired_alerts

alerts/ also returns the fired alerts. I'd like to know if its possible to get returned a list of all saved alerts. I can't see this in the documentation. But it would be very handy for me to auto generate some monitoring.

Tags (2)
0 Karma

fdi01
Motivator

try like this:

|rest  /services/alerts/fired_alerts

or

|rest  /servicesNS/admin/search/alerts/fired_alerts/-
0 Karma

halr9000
Motivator

As you may see from the answers suggested so far, alerts are in fact saved searches which have an alert enabled. So instead of looking for alerts in the REST docs, look at saved search endpoints and that's where your answer will lie.

0 Karma

paramagurukarth
Builder

Please try this
rest /servicesNS/-/ApplicationName/saved/searches

joe_butler99
Explorer

This does get a list of all the reports, but the alerts are not included in this list.

0 Karma

paramagurukarth
Builder

try this.. this lists saved searched /reports from all apps
rest /servicesNS/-/-/saved/searches

Yours may be stored in some other app

0 Karma

joe_butler99
Explorer

I was doing that already, I can see all reports, but not any alerts

0 Karma

stephanefotso
Motivator

Hello! Try a search like this:

index=_internal sourcetype=scheduler thread_id=AlertNotifier* NOT (alert_actions="summary_index" OR alert_actions="")|table run_time alert_actions app status 

Youa can add more fields as you need in your table
Thanks

SGF

joe_butler99
Explorer

Nothing is coming up for this , in fact nothing is under the index=_internal. All my alerts are saved under the search app, but I can't find a way to access them from a search.

0 Karma

stephanefotso
Motivator

Just test this and let me know what happen: index=_internal sourcetype=scheduler thread_id=AlertNotifier*|table run_time alert_actions app status

SGF
0 Karma

joe_butler99
Explorer

Hi Thanks, - this does give me a list of alerts and their status. I might be able to work with something based on this if the API does not directly give an alerts endpoint.

0 Karma

paramagurukarth
Builder

Yes... it gives you just the required data .. Just filter and customize it 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...