Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Which configuration file/s holds all notable's/alert settings?

DanAlexander
Communicator
‎07-17-2023 02:30 AM

Hi community,

I am trying to identify where all settings defining an alert/notable are stored at the backend?

Savedsearches.conf contain the alerts, but not sure how cron schedule and other settings for an alert/notable defined via the UI are stored at the backend of Splunk.

Thank you!

0 Karma
Reply

andrew_nelson
Communicator
‎07-17-2023 05:59 AM

Everything should be in the savedsearches.conf file. 

Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters. 

 

 

| rest splunk_server=local /servicesNS/-/-/saved/searches  
| search action.notable=1 disabled=0
| table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable* 
| rename eai:acl.* as *, action.not* as not*

 

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:33 AM

Hi @DanAlexander,

maybe I'm wrong, but for my knowledge Correlation Searches are alerts, so all the parameters are in savedsearches.conf.

Put attention at which savedsearches,conf file are you viewing because in ES they are distributed in many add-ons.

ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎07-17-2023 02:54 AM

Thanks for the reply @gcusello 

Yes, you are right about thinking of an alert/notable as being a correlation search.

Can you please give me an example of a parameters record of anything I create as notable via the Splunk UI (is this still ES or is it not SE config area...apologies I might be completely wrong here as I am trying to get my head around configs ATM). The ES content of-the-shelf detection rules (ESCU) are stored somewhere as you have suggested, but I wonder where a notable created by me will get stored? Which config file will hold my UI input and what would be its relevant directory?

Regards,

Dan 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 03:13 AM

Hi @DanAlexander,

you can see in the installed Apps, the list of installed Add-Ons for searching the savedsearches.conf, or you could run a search in the filesystem to identify all the conf files containing tour Correlation Searches.

Ciao.

Giuseppe

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...