Splunk Enterprise Security
Highlighted

REST API usage to get list of all the alerts

New Member

Hi Everyone,

I would like to list all the alerts that are setup by users not by splunk apps like ITSI/DMC using REST API.

Please help me.

I used below queries, but did not give proper results.

| rest /services/saved/searches | search title=*| rename title AS "Title", description AS "Description", alertthreshold AS "Threshold", cronschedule AS "Cron Schedule", search AS "Search", action.email.to AS "Email" ,alertcomparator AS "Comparison", dispatch.earliesttime AS "frequency", alert.severity AS "SEV" ,author AS "Author" ,disabled AS "Disabled-True"| eval Severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | table Title, Description, Threshold, Comparison, "Cron Schedule", frequency, Severity,Search, Email,Author,Disabled-True

| rest /services/alerts/fired_alerts/

|rest /servicesNS/admin/-/alerts/alert_actions

|rest/servicesNS/-/-/saved/searches | search alert.track=1 | fields title description search disabled triggeredalertcount actions action.script.filename alert.severity cron_schedule

Labels (1)
0 Karma
Highlighted

Re: REST API usage to get list of all the alerts

SplunkTrust
SplunkTrust

|rest/servicesNS/-/-/saved/searches splunkserver=local | search alert.track=1 | fields title description search disabled triggeredalertcount actions action.script.filename alert.severity cronschedule

The search might need to some tweaking to narrow down but the splunk_server=local might help if you have a distributed environment

If you update your search to look for a condition then that would confirm it was an alert rather than a report...the next challenge would be to attempt to ignore alerts from apps (in general if the username is no admin/splunk-system-user it should have not come from an app)

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.