find inactive alerts/reports

Allampally · ‎09-11-2019

We have around 500 alerts and reports cnfigured to our application. I want to know list of alerts/reports which are active and which are not in use. I am not a Splunk admin so i can't get permission to view configuration files. If tehre is any search query to do so, please provide.

SathyaNarayanan · ‎09-11-2019

With the below command you will get all the search in your environment

| rest splunk_server=local /servicesNS/-/-/saved/searches | fields disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app| search eai:acl.app=XXXX

Where disabled =0 it is active and disabled =1 it is Inactive
is_scheduled=1 is it scheduled
cron_schedule is to get the scheduled time
eai:acl.owner is owner of the search
eai:acl.app - you can filter your app in it.

Allampally · ‎09-11-2019

I don't see alert names with thsi query adn also tehre are few instances where alerts are enabled but they don't trigger at all due to chnage in the search query. I want all enabled alerts which are scheduled but not triggered at all in last 1 year or so. Could you please help me ?

SathyaNarayanan · ‎09-11-2019

Use the below query to get the required results.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app 
| search NOT 
    [ search index=_audit action="alert_fired" 
    | rename ss_name AS title 
    | table title ]

Explanation: First query will give you list of all saved searches results , second query will give all the triggered alert. so in the above query will give the list of not triggered saved searches.

find inactive alerts/reports

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor