Alerts To CSV File

Splunk stores alerts and saved searches in savedsearches.conf file(s). Currently, there seems to be no easy way to report on and dump out all all your alerts without clicking the mouse 1000+ times - especially if you have say 800+ alerts defined and running. Wouldn't it be nice to have the ability to dump out all of the Splunk alerts you defined to a .csv file and review all your alerts with Excel? Now you can. This app provides a way for an organization or an individual to convert user defined alerts contained in internal splunk savedsearches.conf files to a user friendly readout provided by a .csv file. When you save searches and create alerts - Splunk stores them for you in a number of savedsearches.conf files. You may have alerts defined in only one savedsearches.conf file or in many savedsearches.conf files depending on if different users are defining their own alerts. The work flow to dump out the alerts is fairly easy: First install this app. Then select the app. Once the app is selected: The app has a search bar. Enter a search of " | exportalerts list" (without the ") to get a list of where your savedsearches.conf files are stored. For a list of relative paths to your savedsearch.conf files enter "| exportalerts list". Then run the search again with "| exportalerts PATH ". Where the PATH is a path you have cut and pasted from the "| exportalerts list" search The " | exportalerts list" command or search will give you a list of one or more paths to the savedsearch.conf files relative to this app. Highlight and cut or copy each line and paste it into the " | exportalerts " command as a suffix. For example: | exportalerts ../../search/local/savedsearches.conf Would be a correct search string to cause the app to list your alerts defined in this particular savedsearches.conf file And once you get a list of your alerts then: Lastly save this search with all your alerts listed below as a REPORT. Then run the report and export as a csv file. To export a report as a .csv file - look in the far upper right of the app screen for a downward pointing arrow into a horizontal bar. This is the export / download to .CSV icon which you want to use from a REPORT. You can only download to a .csv file when you SAVE your search as a report. For example: You located a savedsearhes.conf file and you issued "| exportalerts ../../username/savedsearches.conf" file and you see alerts below. Next - open the report. You will see the alerts listed below in the report. Go to the upper right menu bar of the report. Look for export and export to .csv. The symbol / icon is a downward arrow into a horizontal line. You can name the .csv file and it starts to download from your browser. Once the .csv file is downloaded to your desktop use Excel. For more detailed help on how to use this app: Select this app in the drop down. Then for help type in the search bar: "| exportalerts help" without the " for the full help work flow.

Built by Jeffrey Fall

Latest Version 1.3.0

August 11, 2023

Release notes

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0

Rating

1

(3)

Log in to rate this app

Support

Developer Supported app

Learn more

Splunk stores alerts and saved searches in savedsearches.conf file(s). Currently, there seems to be no easy way to report on and dump out all all your alerts without clicking the mouse 1000+ times - especially if you have say 800+ alerts defined and running. Wouldn't it be nice to have the ability to dump out all of the Splunk alerts you defined to a .csv file and review all your alerts with Excel? Now you can. This app provides a way for an organization or an individual to convert user defined alerts contained in internal splunk savedsearches.conf files to a user friendly readout provided by a .csv file. When you save searches and create alerts - Splunk stores them for you in a number of savedsearches.conf files. You may have alerts defined in only one savedsearches.conf file or in many savedsearches.conf files depending on if different users are defining their own alerts. The work flow to dump out the alerts is fairly easy: First install this app. Then select the app. Once the app is selected: The app has a search bar. Enter a search of " | exportalerts list" (without the ") to get a list of where your savedsearches.conf files are stored. For a list of relative paths to your savedsearch.conf files enter "| exportalerts list". Then run the search again with "| exportalerts PATH ". Where the PATH is a path you have cut and pasted from the "| exportalerts list" search The " | exportalerts list" command or search will give you a list of one or more paths to the savedsearch.conf files relative to this app. Highlight and cut or copy each line and paste it into the " | exportalerts " command as a suffix. For example: | exportalerts ../../search/local/savedsearches.conf Would be a correct search string to cause the app to list your alerts defined in this particular savedsearches.conf file And once you get a list of your alerts then: Lastly save this search with all your alerts listed below as a REPORT. Then run the report and export as a csv file. To export a report as a .csv file - look in the far upper right of the app screen for a downward pointing arrow into a horizontal bar. This is the export / download to .CSV icon which you want to use from a REPORT. You can only download to a .csv file when you SAVE your search as a report. For example: You located a savedsearhes.conf file and you issued "| exportalerts ../../username/savedsearches.conf" file and you see alerts below. Next - open the report. You will see the alerts listed below in the report. Go to the upper right menu bar of the report. Look for export and export to .csv. The symbol / icon is a downward arrow into a horizontal line. You can name the .csv file and it starts to download from your browser. Once the .csv file is downloaded to your desktop use Excel. For more detailed help on how to use this app: Select this app in the drop down. Then for help type in the search bar: "| exportalerts help" without the " for the full help work flow.