Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REST API usage to get list of all the alerts

vijaya5
Engager
‎06-01-2020 04:05 AM

Hi Everyone,

I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API.

Please help me.

I used below queries, but did not give proper results.

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

| rest /services/alerts/fired_alerts/

|rest /servicesNS/admin/-/alerts/alert_actions

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Labels (1)
Labels
0 Karma
Reply

jnew_splunk
Splunk Employee
Splunk Employee
‎08-15-2021 01:10 PM

I've had pretty good success with the following search.  It returns all alerts that are not part of a default Splunk  app and where the alerts are not disabled.

| rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* 
| search disabled=0
| eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user),  app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) 
| rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" 
| rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" 
| eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') 
| rex field=description mode=sed "s/^\\s+//g" 
| eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) 
| fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action 
| eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch")
| where is_alert==1
| eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0)
| where splunk_default_app=0 
| fields - splunk_server, splunk_default_app

 

Reply

gjanders
SplunkTrust
SplunkTrust
‎06-03-2020 08:19 PM

|rest/servicesNS/-/-/saved/searches splunk_server=local | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

The search might need to some tweaking to narrow down but the splunk_server=local might help if you have a distributed environment

If you update your search to look for a condition then that would confirm it was an alert rather than a report...the next challenge would be to attempt to ignore alerts from apps (in general if the username is no admin/splunk-system-user it should have not come from an app)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...