Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Alert: How do I delete when there is no Delete option on Edit/Menu?

altink
Builder
‎01-20-2021 06:34 AM

Hi

Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.

Please advise how to delete.

best regards

Altin

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:48 AM

Is this alert created by you or it is part of an app?

If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:58 AM

How do I "remove it from the app" ?
(this ticket was opened for this)
best

Altin

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:23 AM

Thank you very much @manjunathmeti 

best regards,

Altin

 
Tags (2)
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:55 AM

Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it

 

best

Altin

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:59 AM

If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:07 AM

Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

TheGearx
Splunk Employee
Splunk Employee
‎03-14-2022 08:14 AM

What you must do is

 

-Download the app and delete the alert/search

-upload the Custom app and the scheduled alert/search must disappear

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...