Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Alert: How do I delete when there is no Delete option on Edit/Menu?

altink
Builder
‎01-20-2021 06:34 AM

Hi

Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.

Please advise how to delete.

best regards

Altin

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:48 AM

Is this alert created by you or it is part of an app?

If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:58 AM

How do I "remove it from the app" ?
(this ticket was opened for this)
best

Altin

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:23 AM

Thank you very much @manjunathmeti 

best regards,

Altin

 
Tags (2)
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:55 AM

Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it

 

best

Altin

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:59 AM

If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:07 AM

Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

TheGearx
Splunk Employee
Splunk Employee
‎03-14-2022 08:14 AM

What you must do is

 

-Download the app and delete the alert/search

-upload the Custom app and the scheduled alert/search must disappear

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...