Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Which configuration file/s holds all notable's/alert settings?

DanAlexander
Communicator
‎07-17-2023 02:30 AM

Hi community,

I am trying to identify where all settings defining an alert/notable are stored at the backend?

Savedsearches.conf contain the alerts, but not sure how cron schedule and other settings for an alert/notable defined via the UI are stored at the backend of Splunk.

Thank you!

0 Karma
Reply

andrew_nelson
Communicator
‎07-17-2023 05:59 AM

Everything should be in the savedsearches.conf file. 

Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters. 

 

 

| rest splunk_server=local /servicesNS/-/-/saved/searches  
| search action.notable=1 disabled=0
| table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable* 
| rename eai:acl.* as *, action.not* as not*

 

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:33 AM

Hi @DanAlexander,

maybe I'm wrong, but for my knowledge Correlation Searches are alerts, so all the parameters are in savedsearches.conf.

Put attention at which savedsearches,conf file are you viewing because in ES they are distributed in many add-ons.

ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎07-17-2023 02:54 AM

Thanks for the reply @gcusello 

Yes, you are right about thinking of an alert/notable as being a correlation search.

Can you please give me an example of a parameters record of anything I create as notable via the Splunk UI (is this still ES or is it not SE config area...apologies I might be completely wrong here as I am trying to get my head around configs ATM). The ES content of-the-shelf detection rules (ESCU) are stored somewhere as you have suggested, but I wonder where a notable created by me will get stored? Which config file will hold my UI input and what would be its relevant directory?

Regards,

Dan 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 03:13 AM

Hi @DanAlexander,

you can see in the installed Apps, the list of installed Add-Ons for searching the savedsearches.conf, or you could run a search in the filesystem to identify all the conf files containing tour Correlation Searches.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...