I am looking to catalog which reports/alerts utilize which notification actions. I have a search currently that keys off of, "alert_action", but this is only effective IF the alert has already fired off in the specified time frame. However, I need to be able to see any alerts that will take a given action, even if they have not fired off. Any help is greatly appreciated.
You can query searches and actions using the REST API.
| rest /servicesNS/-/-/saved/searches count=0 splunk_server=local
| foreach action.*
[| eval alert_actions=mvappend(alert_actions, case('<<FIELD>>'==1 AND match("<<FIELD>>", "^action\.[^.]+$"), "<<FIELD>>"))]
| fields splunk_server eai:acl.app title author alert_actions
| search alert_actions=*
Actions have field names like action.foo.
Action parameters have field names like action.foo.bar.
In this example, I've used foreach to iterate over field names and add them to a multi-valued field named alert_actions if 1) the value is 1 and 2) the field is not a parameter.
That worked PERFECTLY! Thank you for your help.
You can query searches and actions using the REST API.
| rest /servicesNS/-/-/saved/searches count=0 splunk_server=local
| foreach action.*
[| eval alert_actions=mvappend(alert_actions, case('<<FIELD>>'==1 AND match("<<FIELD>>", "^action\.[^.]+$"), "<<FIELD>>"))]
| fields splunk_server eai:acl.app title author alert_actions
| search alert_actions=*
Actions have field names like action.foo.
Action parameters have field names like action.foo.bar.
In this example, I've used foreach to iterate over field names and add them to a multi-valued field named alert_actions if 1) the value is 1 and 2) the field is not a parameter.