Archive

find inactive alerts/reports

Explorer

We have around 500 alerts and reports cnfigured to our application. I want to know list of alerts/reports which are active and which are not in use. I am not a Splunk admin so i can't get permission to view configuration files. If tehre is any search query to do so, please provide.

Tags (1)
0 Karma

Path Finder

With the below command you will get all the search in your environment

| rest splunk_server=local /servicesNS/-/-/saved/searches | fields disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app| search eai:acl.app=XXXX

Where disabled =0 it is active and disabled =1 it is Inactive
isscheduled=1 is it scheduled
cron
schedule is to get the scheduled time
eai:acl.owner is owner of the search
eai:acl.app - you can filter your app in it.

0 Karma

Explorer

I don't see alert names with thsi query adn also tehre are few instances where alerts are enabled but they don't trigger at all due to chnage in the search query. I want all enabled alerts which are scheduled but not triggered at all in last 1 year or so. Could you please help me ?

0 Karma

Path Finder

Use the below query to get the required results.

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| table title disabled is_scheduled cron_schedule eai:acl.owner eai:acl.app 
| search NOT 
    [ search index=_audit action="alert_fired" 
    | rename ss_name AS title 
    | table title ]

Explanation: First query will give you list of all saved searches results , second query will give all the triggered alert. so in the above query will give the list of not triggered saved searches.

0 Karma