Archive

find inactive alerts/reports

Explorer

We have around 500 alerts and reports cnfigured to our application. I want to know list of alerts/reports which are active and which are not in use. I am not a Splunk admin so i can't get permission to view configuration files. If tehre is any search query to do so, please provide.

Tags (1)
0 Karma

Path Finder

With the below command you will get all the search in your environment

| rest splunk_server=local /servicesNS/-/-/saved/searches | fields disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app| search eai:acl.app=XXXX

Where disabled =0 it is active and disabled =1 it is Inactive
is_scheduled=1 is it scheduled
cron_schedule is to get the scheduled time
eai:acl.owner is owner of the search
eai:acl.app - you can filter your app in it.

0 Karma

Explorer

I don't see alert names with thsi query adn also tehre are few instances where alerts are enabled but they don't trigger at all due to chnage in the search query. I want all enabled alerts which are scheduled but not triggered at all in last 1 year or so. Could you please help me ?

0 Karma

Path Finder

Use the below query to get the required results.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app 
| search NOT 
    [ search index=_audit action="alert_fired" 
    | rename ss_name AS title 
    | table title ]

Explanation: First query will give you list of all saved searches results , second query will give all the triggered alert. so in the above query will give the list of not triggered saved searches.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!