Alerting

When I try to create an alert with the Splunk Rest API it just makes a report instead?

joemaz95
Path Finder

I've been playing with the different properties to see if something would trigger a report/saved search becoming an alert with no luck. Any guidance on how to create an alert via the API would be much appreciated.

parameters = {'name': 'test-alert1',
'search': 'index="_audit"',
'description': 'test alert',
'action.email': False,
'action.email.sendresults': None,
'action.email.to': '',
'action.populate_lookup': False,
'action.rss': False,
'action.script': False,
'action.summary_index': False,
'actions': '',
"action.slack_webhook_alert.param.slack_message": "test",
"action.sn_sec_multi_incident_alert.param.shortdescription": "test",
"action.sn_sec_multi_incident_alert.param.ci": "test",
"action.sn_sec_multi_incident_alert.param.category": "Splunk",
"action.sn_sec_multi_incident_alert.param.source": "test",
"action.sn_sec_multi_incident_alert.param.priority": "3",
"action.sn_sec_multi_incident_alert.param.description": "test",
'alert.digest_mode': True,
'alert.expires': '24h',
'alert.managedBy': '',
'alert.severity': '3',
'alert.suppress': None,
'alert.suppress.fields': '',
'alert.suppress.period': '',
'alert.track': False,
'alert_comparator': 'greater than',
'alert_condition': '',
'alert_threshold': '0',
'alert_type': 'always',
'allow_skew': '0',
'auto_summarize': False,
'is_visible': '1',
'dispatch.earliest_time': '-30m',
'is_scheduled': '1',
'cron_schedule': '5 ',
'max_concurrent': '1',
"action.sn_sec_multi_incident_alert": "1",
"actions": "sn_sec_multi_incident_alert",
"action.slack_webhook_alert": "1",
"action.slack_webhook_alert.param.slack_webhook": "INSERT WEBHOOK",
"actions": "slack_webhook_alert",
"action.slack_webhook_alert": "1"
}

res = requests.post(
"https://{host}/services/saved/searches".format(host=host),
headers=headers, verify=False, data=parameters)
Labels (1)
Tags (4)

melkenneth03
New Member

You need to send a POST request with the following parameters in the body:

 

name

<ANY NAME>

alert_comparator

greater than

alert_threshold

0

search

<YOUR SEARCH IN SPL>

alert_type

number of events

is_scheduled

1

cron_schedule

<YOUR CRON SCHEDULE>
Example: 

*/10 * * * *

Tags (1)
0 Karma

smeier
Path Finder

I believe the only difference between a report and an alert is whether there is an alert condition specified.

0 Karma

chandrasekharko
Path Finder

I ran into same exact issue. Is there a way that we can create an alert with API? What I read in the documentation is anything whatever we perform in Splunk UI can be done through API. But, I cloud not figure out yet how to make it an alert instead of a report. Any solution for this?

0 Karma

smeier
Path Finder

I'm not sure if this helps- but I believe that setting alert_type to "always" is what causes Splunk to consider it be a report.

This answer kind of talks about it- https://answers.splunk.com/answers/566648/is-there-a-way-to-convert-a-scheduled-report-to-an.html maybe it will help.

0 Karma

jasonsigman
Engager

I am also running into this with Splunk 7.1.2

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...