Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get the list of Alerts and Report?

mahesh27
Communicator
‎03-29-2023 02:32 PM

i have many alerts and reports which configured with particular email id(splunkdata@gmail.com)
Now i want to change the email id to (splunklogs@gmail.com)
How do i  get the list of alerts and reports configured with this email id(splunkdata@gmail.com)

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-29-2023 02:44 PM

Use the rest api

 

| rest /servicesNS/-/-/saved/searches
| where 'action.email.to'="splunkdata@gmail.com" AND 'action.email'=1
| rename eai:acl.* as *
| table title app owner sharing disabled

 

which will look for all saved searches with an action set to email with the address set as specified.

 

0 Karma
Reply

michael_bates_1
Path Finder
‎03-29-2023 02:43 PM

There are a couple of ways to look at this.
Do you have access to the OS and if so, which OS (linux or Windows)

In linux you could change to the splunk install dir (usually /opt/splunk), change to etc and run
find . -name savedsearches.conf -exec grep -H -E "\[|splunkdata@gmail.com" {} \;

This should give the list of files and search names that have the email address configured for it.
Depending on how many alerts, you could look into using sed to modify each value.

You would need to restart Splunk afterwards.

I am not so familiar with Windows but I am sure a similar "find" function could be done in powershell.

0 Karma
Reply

yeahnah
Motivator
‎03-29-2023 02:38 PM

Hi @mahesh27 

Try this query

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where (disabled=0 AND is_scheduled=1) ``` 0: false, 1: true ```
AND (
match('action.email.to', "(?i)splunkdata@gmail.com")
OR match('action.email.cc', "(?i)splunkdata@gmail.com")
OR match('action.email.bcc',"(?i)splunkdata@gmail.com")
))
| rename eai:acl.app AS app alert_type AS type action.email.to AS email.to action.email.cc AS email.cc action.email.bcc AS email.bcc eai:acl.sharing AS permissions

Hope that helps

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...