Splunk Enterprise Security

REST API usage to get list of all the alerts


Hi Everyone,

I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API.

Please help me.

I used below queries, but did not give proper results.

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alert_threshold AS "Threshold", cron_schedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alert_comparator AS "Comparison", dispatch.earliest_time AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

| rest /services/alerts/fired_alerts/

|rest /servicesNS/admin/-/alerts/alert_actions

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

Labels (1)
0 Karma

Splunk Employee
Splunk Employee

I've had pretty good success with the following search.  It returns all alerts that are not part of a default Splunk  app and where the alerts are not disabled.

| rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* 
| search disabled=0
| eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user),  app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) 
| rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" 
| rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" 
| eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') 
| rex field=description mode=sed "s/^\\s+//g" 
| eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) 
| fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action 
| eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch")
| where is_alert==1
| eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0)
| where splunk_default_app=0 
| fields - splunk_server, splunk_default_app



|rest/servicesNS/-/-/saved/searches splunk_server=local | search alert.track=1 | fields title description search disabled triggered_alert_count actions action.script.filename alert.severity cron_schedule

The search might need to some tweaking to narrow down but the splunk_server=local might help if you have a distributed environment

If you update your search to look for a condition then that would confirm it was an alert rather than a report...the next challenge would be to attempt to ignore alerts from apps (in general if the username is no admin/splunk-system-user it should have not come from an app)

Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...