Hi Guys,
Is there anybody here knows how to remove user email from any Splunk alert and add new user email in his place!
I used this search to find any Splunk alerts related to the person I want to remove, but I'm getting 0 events.
| `a_searches`
| fields report_name email_recipients cc_email_recipients
| search email_recipients="* A@gmail.com*"
Any help will be appreciated!
I've run that query successfully on two different systems so I know it works. I can't explain the error message. What is your role? What version of Splunk?
One thing to try, even though it shouldn't make a difference, is to put the splunk_server option on the end of the command.
| rest /servicesNS/-/-/saved/searches splunk_server=local
| search alert_type!="always"
| where action.email.to="A@gmail.com"
To find which alerts are sending email to the user, try this query.
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
| where action.email.to="foo"
This will give you the names of the alerts to edit. You can edit them manually or use Postman to send REST API calls to make the changes.
I'm getting Error in the 'SearchOperator':Missing required REST url.
| rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
| where action.email.to="A@gmail.com"
I've run that query successfully on two different systems so I know it works. I can't explain the error message. What is your role? What version of Splunk?
One thing to try, even though it shouldn't make a difference, is to put the splunk_server option on the end of the command.
| rest /servicesNS/-/-/saved/searches splunk_server=local
| search alert_type!="always"
| where action.email.to="A@gmail.com"
There's a space in your email recipient "* A@gmail.com*".
If your search doesn't work, try this:
| rest splunk_server="local" "/servicesNS/-/-/saved/searches" | search NOT search="| noop"
| rex field=id mode=sed "s/https:\/\/127.0.0.1:\d+\///"
| rename eai:acl.app AS app, search AS search_query, description AS desc, id AS url, title AS report_name action.email.to AS email_to action.email.cc AS email_cc action.email.bcc AS email_bcc
| eval time_update_epoch=strptime(updated, "%Y-%m-%dT%H:%M:%S.%2N%Z")
| eval last_updated=strftime(time_update_epoch, "%Y-%m-%d %H:%M")
| eval cron_job=CASE(disabled=0, cron_schedule, 1=1, "")
| table report_name author email_to email_cc email_bcc last_updated cron_job app url desc
What privilege required to perform this action? Is user able to do so or need an admin role?
Thanks!
You need permissions to the restapi, e.g. the capability: "rest_properties_get"