Archive

disable the all the alert?

Motivator

is it possible to disable all the alert running in splunk with the SINGLE click?

we have thousands of alerts. how to disable all alert using single click

Tags (1)
1 Solution

When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf files to savedsearches.conf.disabled and then restarted Splunk. Here's the script I used:

#!/bin/bash

cd /opt/splunk/etc/

# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
    mv "${f}" "${f}.disabled"
done

If your Splunk instance isn't in /opt/splunk, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:

#!/bin/bash

cd /opt/splunk/etc/

# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
    mv "${f}" "${f%.disabled}"
done

Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.

View solution in original post

0 Karma

Path Finder

I too would like know how something like this could be solved. My company has installs from 2am-6am on Sunday mornings and we want to disable all alerts, or a subsection of them, during this time frame and it's surprising that Splunk doesn't have something to deal with a situation like that through the GUI.

0 Karma

When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf files to savedsearches.conf.disabled and then restarted Splunk. Here's the script I used:

#!/bin/bash

cd /opt/splunk/etc/

# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
    mv "${f}" "${f}.disabled"
done

If your Splunk instance isn't in /opt/splunk, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:

#!/bin/bash

cd /opt/splunk/etc/

# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
    mv "${f}" "${f%.disabled}"
done

Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.

View solution in original post

0 Karma

Motivator

thanks for answering!!

0 Karma

Esteemed Legend

Yes, if they are all in the same app, then they will all be in the same savedsearches.conf file under that app so you can edit that file from the CLI and use this command in vi:

:1,$s/disabled=0/disabled=1/

Motivator

Thanks for answering!!

0 Karma

Explorer

You could do it directly from the savedsearches.conf file. However it will still not be a single click but you'll have to set the "enableSched" property to the value "0" in all of your search Stanzas, but at least you'd be able to achieve that by editing the single file.

Setting the "enableSched" to 0 would mean that you are disabling the scheduling of these alerts.
Hope this helps !!

Cheers.

Motivator

thanks for answering!!

0 Karma

Ultra Champion

What is it that you want to achieve?

If you get swamped with emails or something and want to (temporarily) stop that to troubleshoot something, you could try disable the Alert Action.

I'm not aware of a way to disable all alerts in 1 click. Perhaps the CLI offers some options.

0 Karma

Motivator

Thanks for answering!!
This is not help me
we have more than 1000 alert running i want to disable all the alert once instead of doing one by one as it take more time.

0 Karma