How do I export all alerts to csv or pdf?

yiweishih · ‎02-01-2023

Hi All,

My Splunk cloud is version 9.0.2208.4.

My account role is sc_admin already. I have around 200 alerts on the alert page.
Is there a way to export the 200 alerts from the alert page with just one click?

I am very new to Splunk, any help is appreciated!

Thanks!

isoutamo · ‎02-01-2023

Hi

I don't think that you can export those from Alert page? But maybe you could utilise this SPL (thanks someone who post this to answers or slack on last year, cannot recall that person).

| rest /servicesNS/-/-/saved/searches splunk_server=local
| search disabled=0 AND is_scheduled=1
| rename "alert.track" as alert_track
| eval type=case(alert_track=1, "alert", 
                (isnotnull(actions) AND actions!="") AND (isnotnull(alert_threshold) AND alert_threshold!=""), "alert", 
                (isnotnull(alert_comparator) AND alert_comparator!="") AND (isnotnull(alert_type) AND alert_type!="always"), "alert", 
                true(), "report")
| fields title type eai:acl.app is_scheduled description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule disabled
| where type = "alert"
| dedup title eai:acl.app
| sort eai:acl.app title

Just update it to select which fields you needs to export.

r. Ismo

How do I export all alerts to csv or pdf?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How do I export all alerts to csv or pdf?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem