Alerting

When I try to create an alert with the Splunk Rest API it just makes a report instead

Path Finder

I've been playing with the different properties to see if something would trigger a report/saved search becoming an alert with no luck. Any guidance on how to create an alert via the API would be much appreciated.

parameters = {'name': 'test-alert1',
'search': 'index="_audit"',
'description': 'test alert',
'action.email': False,
'action.email.sendresults': None,
'action.email.to': '',
'action.populate_lookup': False,
'action.rss': False,
'action.script': False,
'action.summary_index': False,
'actions': '',
"action.slack_webhook_alert.param.slack_message": "test",
"action.sn_sec_multi_incident_alert.param.shortdescription": "test",
"action.sn_sec_multi_incident_alert.param.ci": "test",
"action.sn_sec_multi_incident_alert.param.category": "Splunk",
"action.sn_sec_multi_incident_alert.param.source": "test",
"action.sn_sec_multi_incident_alert.param.priority": "3",
"action.sn_sec_multi_incident_alert.param.description": "test",
'alert.digest_mode': True,
'alert.expires': '24h',
'alert.managedBy': '',
'alert.severity': '3',
'alert.suppress': None,
'alert.suppress.fields': '',
'alert.suppress.period': '',
'alert.track': False,
'alert_comparator': 'greater than',
'alert_condition': '',
'alert_threshold': '0',
'alert_type': 'always',
'allow_skew': '0',
'auto_summarize': False,
'is_visible': '1',
'dispatch.earliest_time': '-30m',
'is_scheduled': '1',
'cron_schedule': '5 ',
'max_concurrent': '1',
"action.sn_sec_multi_incident_alert": "1",
"actions": "sn_sec_multi_incident_alert",
"action.slack_webhook_alert": "1",
"action.slack_webhook_alert.param.slack_webhook": "INSERT WEBHOOK",
"actions": "slack_webhook_alert",
"action.slack_webhook_alert": "1"
}

res = requests.post(
"https://{host}/services/saved/searches".format(host=host),
headers=headers, verify=False, data=parameters)
Tags (4)

Path Finder

I believe the only difference between a report and an alert is whether there is an alert condition specified.

0 Karma

Path Finder

I ran into same exact issue. Is there a way that we can create an alert with API? What I read in the documentation is anything whatever we perform in Splunk UI can be done through API. But, I cloud not figure out yet how to make it an alert instead of a report. Any solution for this?

0 Karma

Path Finder

I'm not sure if this helps- but I believe that setting alert_type to "always" is what causes Splunk to consider it be a report.

This answer kind of talks about it- https://answers.splunk.com/answers/566648/is-there-a-way-to-convert-a-scheduled-report-to-an.html maybe it will help.

0 Karma

Engager

I am also running into this with Splunk 7.1.2

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!