Solved: How can I find reports with email address.

mbhardwaj1 · ‎07-29-2021

Hi ,

I have a clustered environment of Slunk setup. How can I find the all reports and alerts with email address. Actually I need to correct the email domains again and I didn't found any correct way to check all reports with email address. Is there any search query and specific method to find out.

kamlesh_vaghela · ‎07-29-2021

@mbhardwaj1

Can you please try this search?

| rest /servicesNS/-/-/saved/searches | where 'action.email'="1" | table title "action.email.to"

OR

| rest /servicesNS/-/-/saved/searches splunk_server=local | where 'action.email'="1" | table title "action.email.to"

View solution in original post

venkatasri · ‎07-29-2021

Hi @mbhardwaj1

You can issue this rest call to find them, action.email.to field having email address. Alternatively you can find savedsearches.conf file and grep/replace the domain that you wish to from backend.

| rest "/servicesNS/-/-/saved/searches" 
| table id search title action.email.to

---

An upvote would be appreciated and Accept solution if this reply helps!

venkatasri · ‎07-29-2021

If you have multiple Search Heads (SH) and clustered you can push the changes to any one of the instance from SH deployer that will replicate across all cluster members. FYI, otherwise if they are not clustered you have to go modify on every instance manually.

kamlesh_vaghela · ‎07-29-2021

@mbhardwaj1

Can you please try this search?

| rest /servicesNS/-/-/saved/searches | where 'action.email'="1" | table title "action.email.to"

OR

| rest /servicesNS/-/-/saved/searches splunk_server=local | where 'action.email'="1" | table title "action.email.to"

How can I find reports with email address.

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life