Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rest API not returning alerts

skuller
Engager
‎07-24-2014 08:35 AM

I am using the REST API to create a bot to search for triggered alerts every 30 seconds or so. I created saved searches as alerts on my personal splunk account from my company and everything worked fine. 

curl -k -u [username]:[password] https://[host]/servicesNS/[username]/[app]/alerts/fired_alerts -d "output_mode=json" --get

I recently got a new splunk account specifically for the bot to use so I went and recreated the alerts I had previously created on the new account but when I run the API calls I am not getting any triggered alerts returned. I can see my test alerts in the alert manager and the alerts I created on the new account are exactly the same as the ones I had on my personal account.

I have tried deleting the saved searches on my personal account as well as recreating the searches on the bot account but I am unable to see the triggered alerts when I check for them using the API.

Any help would greatly appreciated.

edit: If I search for triggered alerts from all apps I am able to see other alerts that were created by other people but not the ones I created.

I can see the alerts that were triggered http://i.imgur.com/NcoDyy7.png but when I run the command I only get http://pastebin.com/6N9r82k1

Tags (4)
0 Karma
Reply

jackscratch
Engager
‎03-26-2015 01:20 AM

Is it a namespace issue?

Try here
https://answers.splunk.com/answers/146985/how-to-view-list-of-email-addresses-for-saved-alerts.html

You need to use namespace wildcards to get all the searches (run as admin), I've added a filter to only load searches that have the email action enabled:
 | rest /servicesNS/-/-/saved/searches search="action.email=1" | table title eai:acl.app eai:acl.owner disabled is_scheduled cron_schedule action.email*

I also found these pages helpful

http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTsearch

http://docs.splunk.com/Documentation/Splunk/6.2.2/RESTREF/RESTsearchExamples

0 Karma
Reply

rroberts
Splunk Employee
Splunk Employee
‎07-24-2014 08:51 AM

Hmmm this worked for me:

curl --get -ku admin:xxxxx https://localhost:9621/servicesNS/admin/sales/alerts/fired_alerts -d "output_mode=json"

Try --get upfront.

0 Karma
Reply

skuller
Engager
‎07-24-2014 09:00 AM

I get the same results when I run both commands
http://pastebin.com/6N9r82k1

It says no alerts have been fired but when I go to the alert manager I see http://i.imgur.com/NcoDyy7.png

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...