Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search to find disabled alert?

kimberlytrayson
Path Finder
‎02-28-2023 04:40 AM

Hi!

I'm using Splunk cloud. Trying to create alert to catch event when someone disabling alert.
Need advice on the search for this alert, since has no luck with digging into `index=_* disbled_alert_name`

Labels (1)
Labels
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎02-28-2023 12:43 PM

There isn't a great way to do this due to Splunk not tracking these types of changes. There is a Splunk idea that Splunk is working on that resolves some of the shortcomings of the current audit log.

https://ideas.splunk.com/ideas/E-I-49

 

0 Karma
Reply

Brausepaule
Path Finder
‎02-28-2023 12:34 PM

how many users are able to edit your alerts?

Maybe you should revisit your permissions on alerts first 😉

0 Karma
Reply

Brausepaule
Path Finder
‎02-28-2023 05:52 AM

Hi,

all alerts should be saved searches and you can query them like explained here:
https://community.splunk.com/t5/Alerting/How-can-I-query-to-get-all-alerts-which-are-configured/td-p...

as you only want to find disabled alerts (there are already a lot by default) you should only scan for line items where disabled=1

do that in a saved search itself quering all disabled saved searches..and it should work

0 Karma
Reply

kimberlytrayson
Path Finder
‎02-28-2023 12:26 PM

Hi, @Brausepaule , this is not exactly what I'm looking for, but maybe I can get something out of it.

I'm looking for a way to catch event when someone disabling the alert. Suggested search doesn't return information about who disabled the alert and when.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2023 05:50 AM

Hi @kimberlytrayson,

with this command you have the list pf all savedsearches, so you can identify the disabled ones:

| rest /servicesNS/-/-/saved/searches splunk_server=local

Ciao.

Giuseppe

0 Karma
Reply

kimberlytrayson
Path Finder
‎02-28-2023 12:27 PM

Hi, @gcusello  , this is not exactly what I'm looking for, but maybe I can get something out of it.

I'm looking for a way to catch event when someone disabling the alert. Suggested search doesn't return information about who disabled the alert and when.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...