Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Bulk enabling alerts

joe06031990
Communicator
‎05-17-2024 05:26 AM

Hi,

 

Is there a way of bulk enabling alerts in Splunk enterprise?

 

Thanks,

 

Joe

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2024 06:25 AM

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

deepakc
Builder
‎05-17-2024 07:23 AM

A while ago, I had to enable a number of alerts (saved searches) for an app

I created a simple bash file (Assuming your Linux based) which used the API, and this ran through them. Take note of what @PickleRick  said  you could end up with a performance issue if you enable too  many. 

This worked for me. 

You need to create a Splunk token, and get a list your target alerts (saved searches) in your App , then add them to the bash script, a bit of home work, yes, but it got the job done in the end for me. 

Here is an example bash script 

#!/bin/bash
# Define your variables
TOKEN="MY SPLUNK TOKEN"

SERVER="https://MY_SPLUNK_SERVER_SH:8089"
APP="MY_APP"

# Define alerts
ALERTS=("my_alert1" "my_alert2")

# Loop through each alert and enable it
for ALERT in "${ALERTS[@]}"; do
  echo "Enabling alert: $ALERT"
  curl -X POST -k -H "Authorization: Bearer $TOKEN" "$SERVER/servicesNS/nobody/$APP/saved/searches/$ALERT" -d disabled=0

  if [ $? -eq 0 ]; then
   echo "Alert $ALERT enabled successfully."
   sleep 10
  else
    echo "Failed to enable alert $ALERT."
  fi
done


You can use the below to find your alert searches names 

| rest splunk_server=local /services/saved/searches 
| fields splunk_server, author, title, disabled, eai:acl.app, eai:acl.owner, eai:acl.sharing, id, search 
| rename title AS saved_search_name eai:acl.app AS app eai:acl.owner AS owner eai:acl.sharing AS sharing search AS spl_code 
| eval is_enabled = case(disabled >=1, "disabled",1=1, "enabled") 
```| search app=YOUR APP NAME ```
| table splunk_server, author, saved_search_name, disabled, is_enabled, app, owner, sharing, spl_code


 




 

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2024 06:25 AM

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-17-2024 06:01 AM

You could try to do it using REST API but I'd say it's not a best idea. If you enable too many searches, you're gonna kill your servers. So it's best to enable those you need, not just all there are.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...