Hi!
I'm using Splunk cloud. Trying to create alert to catch event when someone disabling alert.
Need advice on the search for this alert, since has no luck with digging into `index=_* disbled_alert_name`
There isn't a great way to do this due to Splunk not tracking these types of changes. There is a Splunk idea that Splunk is working on that resolves some of the shortcomings of the current audit log.
https://ideas.splunk.com/ideas/E-I-49
how many users are able to edit your alerts?
Maybe you should revisit your permissions on alerts first 😉
Hi,
all alerts should be saved searches and you can query them like explained here:
https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/td-p...
as you only want to find disabled alerts (there are already a lot by default) you should only scan for line items where disabled=1
do that in a saved search itself quering all disabled saved searches..and it should work
Hi, @Brausepaule , this is not exactly what I'm looking for, but maybe I can get something out of it.
I'm looking for a way to catch event when someone disabling the alert. Suggested search doesn't return information about who disabled the alert and when.
Hi @kimberlytrayson,
with this command you have the list pf all savedsearches, so you can identify the disabled ones:
| rest /servicesNS/-/-/saved/searches splunk_server=local
Ciao.
Giuseppe
Hi, @gcusello , this is not exactly what I'm looking for, but maybe I can get something out of it.
I'm looking for a way to catch event when someone disabling the alert. Suggested search doesn't return information about who disabled the alert and when.