Hi
Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.
Please advise how to delete.
best regards
Altin
Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.
1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf
2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf
Is this alert created by you or it is part of an app?
If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.
How do I "remove it from the app" ?
(this ticket was opened for this)
best
Altin
Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.
1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf
2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf
Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it
best
Altin
If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.
Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?
best regards
Altin
What you must do is
-Download the app and delete the alert/search
-upload the Custom app and the scheduled alert/search must disappear