Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Am I able to edit many alerts simultaneously?

sebkue
New Member
‎11-08-2017 05:15 AM

I am currently managing 50 alerts and this number will multiply in the next couple of weeks. Editing my alerts is cumbersome. If I want to change a common property, I have to change every single instance by itself. Is there a way to change an alert property like its permissions, or triggers, for multiple alerts at a time?
I have looked at "Alert Manager", but it seems to be tailored to managing incidents, not the actual alerts in of itself.

Labels (1)
Labels
0 Karma
Reply

LCM_BRogerson
Path Finder
‎11-08-2017 12:44 PM

Hi @sebkue

If you have access to the file system, you could make bulk changes to saved searches through the config files.
Permissions can be found in [$SPLUNK_HOME$]\etc\apps\[your app]\metadata\local.meta. The admin manual page is here
All other search attributes (action, email, search string, etc.) can be found in [$SPLUNK_HOME$]\etc\apps\[your app]\local\savedsearches.conf. The admin manual page is here.

It's not the most elegant way, but I'm not aware of any way to make bulk changes within the UI.

Hope that helps.

0 Karma
Reply

bac
New Member
‎10-18-2022 04:03 PM

Splunk does not offer a sane means to manage Alerts in great numbers at all. The User Interface is vacant of assistance in this regard, a large list that makes no effort to show the last edited row - leaving the user to fumble through, choosing the same item repeatedly or missing items easily. Splunk relies on the Browser for basic navigation functionality between pages but did not consider users' needs when navigating and working with mechanisms more bespoke. I hope this comment resonates with someone at Splunk to address this, because it is a big deal and the product in its current state is ripe for disruption.

0 Karma
Reply

bac
New Member
‎10-18-2022 04:06 PM

Please also note that the Permissions Dialog intermittently closes itself with or without interaction, when it does so with interaction the outcome is erroneous - it seems you made a change but no change was made. The list does not put any effort into showing that a change was or wasn't made nor which item you were last editing. Highly vulnerable to human error.

0 Karma
Reply

bac
New Member
‎10-18-2022 04:52 PM

The Permissions Dialog will also occasionally open without content, only showing the close (x), CANCEL, and SAVE button but not responding to them. It seems that clicking outside of the Dialog or forcing a browser refresh is the only way out of that erroneous state. Managing Alerts is really in the 3rd World of Internet.

0 Karma
Reply

sebkue
New Member
‎11-10-2017 01:12 AM

I do not have access to the file system. Is there a reason that bulk editing alerts is not a feature?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...