Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cataloging Report Notification Actions

deaseec
Engager
‎02-18-2021 01:59 PM

I am looking to catalog which reports/alerts utilize which notification actions. I have a search currently that keys off of, "alert_action", but this is only effective IF the alert has already fired off in the specified time frame. However, I need to be able to see any alerts that will take a given action, even if they have not fired off. Any help is greatly appreciated.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎02-20-2021 04:25 PM

@deaseec 

You can query searches and actions using the REST API.

| rest /servicesNS/-/-/saved/searches count=0 splunk_server=local
| foreach action.*
[| eval alert_actions=mvappend(alert_actions, case('<<FIELD>>'==1 AND match("<<FIELD>>", "^action\.[^.]+$"), "<<FIELD>>"))]
| fields splunk_server eai:acl.app title author alert_actions
| search alert_actions=*

Actions have field names like action.foo.

Action parameters have field names like action.foo.bar.

In this example, I've used foreach to iterate over field names and add them to a multi-valued field named alert_actions if 1) the value is 1 and 2) the field is not a parameter.

View solution in original post

Reply
Solved! Jump to solution

deaseec
Engager
‎02-22-2021 08:08 AM

That worked PERFECTLY! Thank you for your help.

0 Karma
Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎02-20-2021 04:25 PM

@deaseec 

You can query searches and actions using the REST API.

| rest /servicesNS/-/-/saved/searches count=0 splunk_server=local
| foreach action.*
[| eval alert_actions=mvappend(alert_actions, case('<<FIELD>>'==1 AND match("<<FIELD>>", "^action\.[^.]+$"), "<<FIELD>>"))]
| fields splunk_server eai:acl.app title author alert_actions
| search alert_actions=*

Actions have field names like action.foo.

Action parameters have field names like action.foo.bar.

In this example, I've used foreach to iterate over field names and add them to a multi-valued field named alert_actions if 1) the value is 1 and 2) the field is not a parameter.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...