i have many alerts and reports which configured with particular email id(splunkdata@gmail.com)
Now i want to change the email id to (splunklogs@gmail.com)
How do i get the list of alerts and reports configured with this email id(splunkdata@gmail.com)
Use the rest api
| rest /servicesNS/-/-/saved/searches
| where 'action.email.to'="splunkdata@gmail.com" AND 'action.email'=1
| rename eai:acl.* as *
| table title app owner sharing disabled
which will look for all saved searches with an action set to email with the address set as specified.
There are a couple of ways to look at this.
Do you have access to the OS and if so, which OS (linux or Windows)
In linux you could change to the splunk install dir (usually /opt/splunk), change to etc and run
find . -name savedsearches.conf -exec grep -H -E "\[|splunkdata@gmail.com" {} \;
This should give the list of files and search names that have the email address configured for it.
Depending on how many alerts, you could look into using sed to modify each value.
You would need to restart Splunk afterwards.
I am not so familiar with Windows but I am sure a similar "find" function could be done in powershell.
Hi @mahesh27
Try this query
| rest splunk_server=local /servicesNS/-/-/saved/searches
| where (disabled=0 AND is_scheduled=1) ``` 0: false, 1: true ```
AND (
match('action.email.to', "(?i)splunkdata@gmail.com")
OR match('action.email.cc', "(?i)splunkdata@gmail.com")
OR match('action.email.bcc',"(?i)splunkdata@gmail.com")
))
| rename eai:acl.app AS app alert_type AS type action.email.to AS email.to action.email.cc AS email.cc action.email.bcc AS email.bcc eai:acl.sharing AS permissions
Hope that helps