I am using the REST API to create a bot to search for triggered alerts every 30 seconds or so. I created saved searches as alerts on my personal splunk account from my company and everything worked fine.
curl -k -u [username]:[password] https://[host]/servicesNS/[username]/[app]/alerts/fired_alerts -d "output_mode=json" --get
I recently got a new splunk account specifically for the bot to use so I went and recreated the alerts I had previously created on the new account but when I run the API calls I am not getting any triggered alerts returned. I can see my test alerts in the alert manager and the alerts I created on the new account are exactly the same as the ones I had on my personal account.
I have tried deleting the saved searches on my personal account as well as recreating the searches on the bot account but I am unable to see the triggered alerts when I check for them using the API.
Any help would greatly appreciated.
edit: If I search for triggered alerts from all apps I am able to see other alerts that were created by other people but not the ones I created.
I can see the alerts that were triggered http://i.imgur.com/NcoDyy7.png but when I run the command I only get http://pastebin.com/6N9r82k1
Is it a namespace issue?
You need to use namespace wildcards to get all the searches (run as admin), I've added a filter to only load searches that have the email action enabled: | rest /servicesNS/-/-/saved/searches search="action.email=1" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule action.email*
I also found these pages helpful
Hmmm this worked for me:
curl --get -ku admin:xxxxx https://localhost:9621/servicesNS/admin/sales/alerts/fired_alerts -d "output_mode=json"
Try --get upfront.
I get the same results when I run both commands
It says no alerts have been fired but when I go to the alert manager I see http://i.imgur.com/NcoDyy7.png