We have many alerts setup in Splunk, so how can I get the list of alerts corn scheduled for 10mins
You can use the rest api to get the saved searches and look at the cron schedule
| rest splunk_server=local /servicesNS/-/-/saved/searches | where disabled=0 AND is_scheduled=1 | fields title cron_schedule next_scheduled_time
then you can do what you need to do with that data
@bowesmana , thank you for the query
But I am getting all the alerts how can I add filter to see only 10 mins scheduled alerts
I tried using search or where command for cron scheduled field but it not coming.
You need to look at the minute part of the cron schedule, for example you could do this at the end of the other search I gave to you
| eval ten_minute_schedule=if(match(cron_schedule, "^\*/10"), 1, 0) | where ten_minute_schedule=1
Can you explain what you mean by to see only 10 mins scheduled alerts
Does that mean alerts that are scheduled to run in the next 10 minutes or alerts that are scheduled to run every 10 minutes or...?
I want to see the list of alerts that are scheduled to run every 10 minutes
Please check this post.. https://community.splunk.com/t5/Splunk-Search/How-to-find-all-searches-that-are-scheduled-to-run-eve...
