Solved: How do I remove user email?

majilan1 · ‎10-18-2022

Hi Guys,

Is there anybody here knows how to remove user email from any Splunk alert and add new user email in his place!

I used this search to find any Splunk alerts related to the person I want to remove, but I'm getting 0 events.

| `a_searches` 

| fields report_name  email_recipients  cc_email_recipients

| search email_recipients="* A@gmail.com*"

Any help will be appreciated!

richgalloway · ‎10-18-2022

I've run that query successfully on two different systems so I know it works. I can't explain the error message. What is your role? What version of Splunk?

One thing to try, even though it shouldn't make a difference, is to put the splunk_server option on the end of the command.

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search alert_type!="always"
| where action.email.to="A@gmail.com"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-18-2022

To find which alerts are sending email to the user, try this query.

| rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
| where action.email.to="foo"

This will give you the names of the alerts to edit. You can edit them manually or use Postman to send REST API calls to make the changes.

---
If this reply helps you, Karma would be appreciated.

majilan1 · ‎10-18-2022

I'm getting Error in the 'SearchOperator':Missing required REST url.

| rest splunk_server=local /servicesNS/-/-/saved/searches
| search alert_type!="always"
| where action.email.to="A@gmail.com"

richgalloway · ‎10-18-2022

I've run that query successfully on two different systems so I know it works. I can't explain the error message. What is your role? What version of Splunk?

One thing to try, even though it shouldn't make a difference, is to put the splunk_server option on the end of the command.

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search alert_type!="always"
| where action.email.to="A@gmail.com"

---
If this reply helps you, Karma would be appreciated.

johnhuang · ‎10-18-2022

There's a space in your email recipient "* A@gmail.com*".

If your search doesn't work, try this:

| rest splunk_server="local" "/servicesNS/-/-/saved/searches" | search NOT search="| noop"
| rex field=id mode=sed "s/https:\/\/127.0.0.1:\d+\///"
| rename eai:acl.app AS app, search AS search_query, description AS desc, id AS url, title AS report_name action.email.to AS email_to action.email.cc AS email_cc action.email.bcc AS email_bcc
| eval time_update_epoch=strptime(updated, "%Y-%m-%dT%H:%M:%S.%2N%Z") 
| eval last_updated=strftime(time_update_epoch, "%Y-%m-%d %H:%M")
| eval cron_job=CASE(disabled=0, cron_schedule, 1=1, "")
| table report_name author email_to email_cc email_bcc last_updated cron_job app url desc

majilan1 · ‎10-18-2022

What privilege required to perform this action? Is user able to do so or need an admin role?

Thanks!

johnhuang · ‎10-18-2022

You need permissions to the restapi, e.g. the capability: "rest_properties_get"

How do I remove user email?

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...