find inactive alerts/reports


We have around 500 alerts and reports cnfigured to our application. I want to know list of alerts/reports which are active and which are not in use. I am not a Splunk admin so i can't get permission to view configuration files. If tehre is any search query to do so, please provide.

Tags (1)
0 Karma

Path Finder

With the below command you will get all the search in your environment

| rest splunk_server=local /servicesNS/-/-/saved/searches | fields disabled is_scheduled cron_schedule eai:acl.owner| search

Where disabled =0 it is active and disabled =1 it is Inactive
is_scheduled=1 is it scheduled
cron_schedule is to get the scheduled time
eai:acl.owner is owner of the search - you can filter your app in it.

0 Karma


I don't see alert names with thsi query adn also tehre are few instances where alerts are enabled but they don't trigger at all due to chnage in the search query. I want all enabled alerts which are scheduled but not triggered at all in last 1 year or so. Could you please help me ?

0 Karma

Path Finder

Use the below query to get the required results.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title disabled is_scheduled cron_schedule eai:acl.owner 
| search NOT 
    [ search index=_audit action="alert_fired" 
    | rename ss_name AS title 
    | table title ]

Explanation: First query will give you list of all saved searches results , second query will give all the triggered alert. so in the above query will give the list of not triggered saved searches.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!