Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bulk enabling alerts

joe06031990
Communicator
‎05-17-2024 05:26 AM

Hi,

 

Is there a way of bulk enabling alerts in Splunk enterprise?

 

Thanks,

 

Joe

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2024 06:25 AM

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

deepakc
Builder
‎05-17-2024 07:23 AM

A while ago, I had to enable a number of alerts (saved searches) for an app

I created a simple bash file (Assuming your Linux based) which used the API, and this ran through them. Take note of what @PickleRick  said  you could end up with a performance issue if you enable too  many. 

This worked for me. 

You need to create a Splunk token, and get a list your target alerts (saved searches) in your App , then add them to the bash script, a bit of home work, yes, but it got the job done in the end for me. 

Here is an example bash script 

#!/bin/bash
# Define your variables
TOKEN="MY SPLUNK TOKEN"

SERVER="https://MY_SPLUNK_SERVER_SH:8089"
APP="MY_APP"

# Define alerts
ALERTS=("my_alert1" "my_alert2")

# Loop through each alert and enable it
for ALERT in "${ALERTS[@]}"; do
  echo "Enabling alert: $ALERT"
  curl -X POST -k -H "Authorization: Bearer $TOKEN" "$SERVER/servicesNS/nobody/$APP/saved/searches/$ALERT" -d disabled=0

  if [ $? -eq 0 ]; then
   echo "Alert $ALERT enabled successfully."
   sleep 10
  else
    echo "Failed to enable alert $ALERT."
  fi
done


You can use the below to find your alert searches names 

| rest splunk_server=local /services/saved/searches 
| fields splunk_server, author, title, disabled, eai:acl.app, eai:acl.owner, eai:acl.sharing, id, search 
| rename title AS saved_search_name eai:acl.app AS app eai:acl.owner AS owner eai:acl.sharing AS sharing search AS spl_code 
| eval is_enabled = case(disabled >=1, "disabled",1=1, "enabled") 
```| search app=YOUR APP NAME ```
| table splunk_server, author, saved_search_name, disabled, is_enabled, app, owner, sharing, spl_code


 




 

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2024 06:25 AM

Hi @joe06031990 ,

it's a request from many of us,

go in Splunk ideas and vote for it: maybe someone in the Splunk project will consider the request!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-17-2024 06:01 AM

You could try to do it using REST API but I'd say it's not a best idea. If you enable too many searches, you're gonna kill your servers. So it's best to enable those you need, not just all there are.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...