Alerting

When I try to create an alert with the Splunk Rest API it just makes a report instead?

joemaz95
Path Finder

I've been playing with the different properties to see if something would trigger a report/saved search becoming an alert with no luck. Any guidance on how to create an alert via the API would be much appreciated.

parameters = {'name': 'test-alert1',
'search': 'index="_audit"',
'description': 'test alert',
'action.email': False,
'action.email.sendresults': None,
'action.email.to': '',
'action.populate_lookup': False,
'action.rss': False,
'action.script': False,
'action.summary_index': False,
'actions': '',
"action.slack_webhook_alert.param.slack_message": "test",
"action.sn_sec_multi_incident_alert.param.shortdescription": "test",
"action.sn_sec_multi_incident_alert.param.ci": "test",
"action.sn_sec_multi_incident_alert.param.category": "Splunk",
"action.sn_sec_multi_incident_alert.param.source": "test",
"action.sn_sec_multi_incident_alert.param.priority": "3",
"action.sn_sec_multi_incident_alert.param.description": "test",
'alert.digest_mode': True,
'alert.expires': '24h',
'alert.managedBy': '',
'alert.severity': '3',
'alert.suppress': None,
'alert.suppress.fields': '',
'alert.suppress.period': '',
'alert.track': False,
'alert_comparator': 'greater than',
'alert_condition': '',
'alert_threshold': '0',
'alert_type': 'always',
'allow_skew': '0',
'auto_summarize': False,
'is_visible': '1',
'dispatch.earliest_time': '-30m',
'is_scheduled': '1',
'cron_schedule': '5 ',
'max_concurrent': '1',
"action.sn_sec_multi_incident_alert": "1",
"actions": "sn_sec_multi_incident_alert",
"action.slack_webhook_alert": "1",
"action.slack_webhook_alert.param.slack_webhook": "INSERT WEBHOOK",
"actions": "slack_webhook_alert",
"action.slack_webhook_alert": "1"
}

res = requests.post(
"https://{host}/services/saved/searches".format(host=host),
headers=headers, verify=False, data=parameters)
Labels (1)
Tags (4)

melkenneth03
New Member

You need to send a POST request with the following parameters in the body:

 

name

<ANY NAME>

alert_comparator

greater than

alert_threshold

0

search

<YOUR SEARCH IN SPL>

alert_type

number of events

is_scheduled

1

cron_schedule

<YOUR CRON SCHEDULE>
Example: 

*/10 * * * *

Tags (1)
0 Karma

smeier
Path Finder

I believe the only difference between a report and an alert is whether there is an alert condition specified.

0 Karma

chandrasekharko
Path Finder

I ran into same exact issue. Is there a way that we can create an alert with API? What I read in the documentation is anything whatever we perform in Splunk UI can be done through API. But, I cloud not figure out yet how to make it an alert instead of a report. Any solution for this?

0 Karma

smeier
Path Finder

I'm not sure if this helps- but I believe that setting alert_type to "always" is what causes Splunk to consider it be a report.

This answer kind of talks about it- https://answers.splunk.com/answers/566648/is-there-a-way-to-convert-a-scheduled-report-to-an.html maybe it will help.

0 Karma

jasonsigman
Engager

I am also running into this with Splunk 7.1.2

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...