Knowledge Management

Bulk enabling alerts

joe06031990
Communicator

Hi,

 

Is there a way of bulk enabling alerts in Splunk enterprise?

 

Thanks,

 

Joe

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

View solution in original post

deepakc
Builder

A while ago, I had to enable a number of alerts (saved searches) for an app

I created a simple bash file (Assuming your Linux based) which used the API, and this ran through them. Take note of what @PickleRick  said  you could end up with a performance issue if you enable too  many. 

This worked for me. 

You need to create a Splunk token, and get a list your target alerts (saved searches) in your App , then add them to the bash script, a bit of home work, yes, but it got the job done in the end for me. 

Here is an example bash script 

#!/bin/bash
# Define your variables
TOKEN="MY SPLUNK TOKEN"

SERVER="https://MY_SPLUNK_SERVER_SH:8089"
APP="MY_APP"

# Define alerts
ALERTS=("my_alert1" "my_alert2")

# Loop through each alert and enable it
for ALERT in "${ALERTS[@]}"; do
  echo "Enabling alert: $ALERT"
  curl -X POST -k -H "Authorization: Bearer $TOKEN" "$SERVER/servicesNS/nobody/$APP/saved/searches/$ALERT" -d disabled=0

  if [ $? -eq 0 ]; then
   echo "Alert $ALERT enabled successfully."
   sleep 10
  else
    echo "Failed to enable alert $ALERT."
  fi
done


You can use the below to find your alert searches names 

| rest splunk_server=local /services/saved/searches 
| fields splunk_server, author, title, disabled, eai:acl.app, eai:acl.owner, eai:acl.sharing, id, search 
| rename title AS saved_search_name eai:acl.app AS app eai:acl.owner AS owner eai:acl.sharing AS sharing search AS spl_code 
| eval is_enabled = case(disabled >=1, "disabled",1=1, "enabled") 
```| search app=YOUR APP NAME ```
| table splunk_server, author, saved_search_name, disabled, is_enabled, app, owner, sharing, spl_code


 




 

gcusello
SplunkTrust
SplunkTrust

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

PickleRick
SplunkTrust
SplunkTrust

You could try to do it using REST API but I'd say it's not a best idea. If you enable too many searches, you're gonna kill your servers. So it's best to enable those you need, not just all there are.

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...