Splunk Enterprise Security

REST API usage to get list of all the alerts


Hi Everyone,

I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API.

Please help me.

I used below queries, but did not give proper results.

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

| rest /services/alerts/fired_alerts/

|rest /servicesNS/admin/-/alerts/alert_actions

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Labels (1)
0 Karma

Splunk Employee
Splunk Employee

I've had pretty good success with the following search.  It returns all alerts that are not part of a default Splunk  app and where the alerts are not disabled.

| rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* 
| search disabled=0
| eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user),  app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) 
| rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" 
| rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" 
| eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') 
| rex field=description mode=sed "s/^\\s+//g" 
| eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) 
| fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action 
| eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch")
| where is_alert==1
| eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0)
| where splunk_default_app=0 
| fields - splunk_server, splunk_default_app



|rest/servicesNS/-/-/saved/searches splunk_server=local | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

The search might need to some tweaking to narrow down but the splunk_server=local might help if you have a distributed environment

If you update your search to look for a condition then that would confirm it was an alert rather than a report...the next challenge would be to attempt to ignore alerts from apps (in general if the username is no admin/splunk-system-user it should have not come from an app)

Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...