Alerting

Is it possible to disable all the alert running in Splunk with the SINGLE click?

logloganathan
Motivator

is it possible to disable all the alert running in splunk with the SINGLE click?

we have thousands of alerts. how to disable all alert using single click

Labels (1)
Tags (1)
1 Solution

elliotproebstel
Champion

When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf files to savedsearches.conf.disabled and then restarted Splunk. Here's the script I used:

#!/bin/bash

cd /opt/splunk/etc/

# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
    mv "${f}" "${f}.disabled"
done

If your Splunk instance isn't in /opt/splunk, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:

#!/bin/bash

cd /opt/splunk/etc/

# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
    mv "${f}" "${f%.disabled}"
done

Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.

View solution in original post

shankern
Explorer

Perhaps Splunk need to provide a proper solution for this 

Hankins
Engager

Absolutely

0 Karma

PDXKiel
Path Finder

I too would like know how something like this could be solved. My company has installs from 2am-6am on Sunday mornings and we want to disable all alerts, or a subsection of them, during this time frame and it's surprising that Splunk doesn't have something to deal with a situation like that through the GUI.

elliotproebstel
Champion

When I needed to disable all saved searches on a search head, I used a short bash script to rename all savedsearches.conf files to savedsearches.conf.disabled and then restarted Splunk. Here's the script I used:

#!/bin/bash

cd /opt/splunk/etc/

# Disable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf`; do
    mv "${f}" "${f}.disabled"
done

If your Splunk instance isn't in /opt/splunk, then you might need to change the location.
To re-enable all saved searches on the search head, I used this:

#!/bin/bash

cd /opt/splunk/etc/

# Enable ALL savedsearches.conf files
for f in `find . -name savedsearches.conf.disabled`; do
    mv "${f}" "${f%.disabled}"
done

Note: This makes the searches completely unavailable from the Splunk UI, because they are no longer found in the expected savedsearches.conf locations - so technically speaking, this does a lot more than "disable alerts", but it's pretty efficient for making all saved searches stop running and then restoring them back to their original state.

logloganathan
Motivator

thanks for answering!!

0 Karma

woodcock
Esteemed Legend

Yes, if they are all in the same app, then they will all be in the same savedsearches.conf file under that app so you can edit that file from the CLI and use this command in vi:

:1,$s/disabled=0/disabled=1/

shankern
Explorer

If savedsearches.conf already have a mix of disabled and enabled alerts this should not be used as it will enable all alerts when we do 

:1,$s/disabled=1/disabled=0/

for reenabling.

0 Karma

logloganathan
Motivator

Thanks for answering!!

0 Karma

mahajanamit
Explorer

You could do it directly from the savedsearches.conf file. However it will still not be a single click but you'll have to set the "enableSched" property to the value "0" in all of your search Stanzas, but at least you'd be able to achieve that by editing the single file.

Setting the "enableSched" to 0 would mean that you are disabling the scheduling of these alerts.
Hope this helps !!

Cheers.

logloganathan
Motivator

thanks for answering!!

0 Karma

FrankVl
Ultra Champion

What is it that you want to achieve?

If you get swamped with emails or something and want to (temporarily) stop that to troubleshoot something, you could try disable the Alert Action.

I'm not aware of a way to disable all alerts in 1 click. Perhaps the CLI offers some options.

0 Karma

logloganathan
Motivator

Thanks for answering!!
This is not help me
we have more than 1000 alert running i want to disable all the alert once instead of doing one by one as it take more time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...