Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Alert: How do I delete when there is no Delete option on Edit/Menu?

altink
Builder
‎01-20-2021 06:34 AM

Hi

Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.

Please advise how to delete.

best regards

Altin

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:48 AM

Is this alert created by you or it is part of an app?

If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:58 AM

How do I "remove it from the app" ?
(this ticket was opened for this)
best

Altin

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:23 AM

Thank you very much @manjunathmeti 

best regards,

Altin

 
Tags (2)
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:55 AM

Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it

 

best

Altin

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:59 AM

If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:07 AM

Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

TheGearx
Splunk Employee
Splunk Employee
‎03-14-2022 08:14 AM

What you must do is

 

-Download the app and delete the alert/search

-upload the Custom app and the scheduled alert/search must disappear

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...