Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get the list of Alerts and Report?

mahesh27
Communicator
‎03-29-2023 02:32 PM

i have many alerts and reports which configured with particular email id(splunkdata@gmail.com)
Now i want to change the email id to (splunklogs@gmail.com)
How do i  get the list of alerts and reports configured with this email id(splunkdata@gmail.com)

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 02:44 PM

Use the rest api

 

| rest /servicesNS/-/-/saved/searches
| where 'action.email.to'="splunkdata@gmail.com" AND 'action.email'=1
| rename eai:acl.* as *
| table title app owner sharing disabled

 

which will look for all saved searches with an action set to email with the address set as specified.

 

0 Karma
Reply

michael_bates_1
Path Finder
‎03-29-2023 02:43 PM

There are a couple of ways to look at this.
Do you have access to the OS and if so, which OS (linux or Windows)

In linux you could change to the splunk install dir (usually /opt/splunk), change to etc and run
find . -name savedsearches.conf -exec grep -H -E "\[|splunkdata@gmail.com" {} \;

This should give the list of files and search names that have the email address configured for it.
Depending on how many alerts, you could look into using sed to modify each value.

You would need to restart Splunk afterwards.

I am not so familiar with Windows but I am sure a similar "find" function could be done in powershell.

0 Karma
Reply

yeahnah
Motivator
‎03-29-2023 02:38 PM

Hi @mahesh27 

Try this query

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where (disabled=0 AND is_scheduled=1) ``` 0: false, 1: true ```
AND (
match('action.email.to', "(?i)splunkdata@gmail.com")
OR match('action.email.cc', "(?i)splunkdata@gmail.com")
OR match('action.email.bcc',"(?i)splunkdata@gmail.com")
))
| rename eai:acl.app AS app alert_type AS type action.email.to AS email.to action.email.cc AS email.cc action.email.bcc AS email.bcc eai:acl.sharing AS permissions

Hope that helps

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...