Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Which configuration file/s holds all notable's/alert settings?

DanAlexander
Communicator
‎07-17-2023 02:30 AM

Hi community,

I am trying to identify where all settings defining an alert/notable are stored at the backend?

Savedsearches.conf contain the alerts, but not sure how cron schedule and other settings for an alert/notable defined via the UI are stored at the backend of Splunk.

Thank you!

0 Karma
Reply

andrew_nelson
Communicator
‎07-17-2023 05:59 AM

Everything should be in the savedsearches.conf file. 

Try this search via the UI and it'll list all the enabled searches with a notable action. And all the notable action parameters. 

 

 

| rest splunk_server=local /servicesNS/-/-/saved/searches  
| search action.notable=1 disabled=0
| table author eai:acl.app eai:acl.owner eai:acl.sharing disabled cron_schedule dispatch.earliest_time dispatch.latest_time title search action.notable* 
| rename eai:acl.* as *, action.not* as not*

 

 

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 02:33 AM

Hi @DanAlexander,

maybe I'm wrong, but for my knowledge Correlation Searches are alerts, so all the parameters are in savedsearches.conf.

Put attention at which savedsearches,conf file are you viewing because in ES they are distributed in many add-ons.

ciao.

Giuseppe

0 Karma
Reply

DanAlexander
Communicator
‎07-17-2023 02:54 AM

Thanks for the reply @gcusello 

Yes, you are right about thinking of an alert/notable as being a correlation search.

Can you please give me an example of a parameters record of anything I create as notable via the Splunk UI (is this still ES or is it not SE config area...apologies I might be completely wrong here as I am trying to get my head around configs ATM). The ES content of-the-shelf detection rules (ESCU) are stored somewhere as you have suggested, but I wonder where a notable created by me will get stored? Which config file will hold my UI input and what would be its relevant directory?

Regards,

Dan 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2023 03:13 AM

Hi @DanAlexander,

you can see in the installed Apps, the list of installed Add-Ons for searching the savedsearches.conf, or you could run a search in the filesystem to identify all the conf files containing tour Correlation Searches.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...