Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Alert: How do I delete when there is no Delete option on Edit/Menu?

altink
Builder
‎01-20-2021 06:34 AM

Hi

Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.

Please advise how to delete.

best regards

Altin

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:48 AM

Is this alert created by you or it is part of an app?

If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:58 AM

How do I "remove it from the app" ?
(this ticket was opened for this)
best

Altin

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:23 AM

Thank you very much @manjunathmeti 

best regards,

Altin

 
Tags (2)
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:55 AM

Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it

 

best

Altin

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:59 AM

If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:07 AM

Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

TheGearx
Splunk Employee
Splunk Employee
‎03-14-2022 08:14 AM

What you must do is

 

-Download the app and delete the alert/search

-upload the Custom app and the scheduled alert/search must disappear

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...