Re: When I try to create an alert with the Splunk ...

joemaz95 · ‎07-18-2018

I've been playing with the different properties to see if something would trigger a report/saved search becoming an alert with no luck. Any guidance on how to create an alert via the API would be much appreciated.

parameters = {'name': 'test-alert1',
'search': 'index="_audit"',
'description': 'test alert',
'action.email': False,
'action.email.sendresults': None,
'action.email.to': '',
'action.populate_lookup': False,
'action.rss': False,
'action.script': False,
'action.summary_index': False,
'actions': '',
"action.slack_webhook_alert.param.slack_message": "test",
"action.sn_sec_multi_incident_alert.param.shortdescription": "test",
"action.sn_sec_multi_incident_alert.param.ci": "test",
"action.sn_sec_multi_incident_alert.param.category": "Splunk",
"action.sn_sec_multi_incident_alert.param.source": "test",
"action.sn_sec_multi_incident_alert.param.priority": "3",
"action.sn_sec_multi_incident_alert.param.description": "test",
'alert.digest_mode': True,
'alert.expires': '24h',
'alert.managedBy': '',
'alert.severity': '3',
'alert.suppress': None,
'alert.suppress.fields': '',
'alert.suppress.period': '',
'alert.track': False,
'alert_comparator': 'greater than',
'alert_condition': '',
'alert_threshold': '0',
'alert_type': 'always',
'allow_skew': '0',
'auto_summarize': False,
'is_visible': '1',
'dispatch.earliest_time': '-30m',
'is_scheduled': '1',
'cron_schedule': '5 ',
'max_concurrent': '1',
"action.sn_sec_multi_incident_alert": "1",
"actions": "sn_sec_multi_incident_alert",
"action.slack_webhook_alert": "1",
"action.slack_webhook_alert.param.slack_webhook": "INSERT WEBHOOK",
"actions": "slack_webhook_alert",
"action.slack_webhook_alert": "1"
}

res = requests.post(
"https://{host}/services/saved/searches".format(host=host),
headers=headers, verify=False, data=parameters)

melkenneth03 · ‎01-19-2023

You need to send a POST request with the following parameters in the body:

name	<ANY NAME>
alert_comparator	greater than
alert_threshold	0
search	<YOUR SEARCH IN SPL>
alert_type	number of events
is_scheduled	1
cron_schedule	<YOUR CRON SCHEDULE> Example: /10 * * *

smeier · ‎10-15-2018

I believe the only difference between a report and an alert is whether there is an alert condition specified.

chandrasekharko · ‎04-11-2019

I ran into same exact issue. Is there a way that we can create an alert with API? What I read in the documentation is anything whatever we perform in Splunk UI can be done through API. But, I cloud not figure out yet how to make it an alert instead of a report. Any solution for this?

smeier · ‎04-11-2019

I'm not sure if this helps- but I believe that setting alert_type to "always" is what causes Splunk to consider it be a report.

This answer kind of talks about it- https://answers.splunk.com/answers/566648/is-there-a-way-to-convert-a-scheduled-report-to-an.html maybe it will help.

jasonsigman · ‎07-18-2018

I am also running into this with Splunk 7.1.2

When I try to create an alert with the Splunk Rest API it just makes a report instead?

alert action

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor