https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-retrieve-fired-alerts-in-chronological-order/m-p/693996#M19803 <P>You could use the /services/search/v2/jobs REST endpoint</P><P>&nbsp;</P><LI-CODE lang="markup">| rest /services/search/v2/jobs | search label = "SOC - *" | sort - updated | table label updated author ```add fields as desired```</LI-CODE> Mon, 22 Jul 2024 19:09:22 GMT marnall 2024-07-22T19:09:22Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-retrieve-fired-alerts-in-chronological-order/m-p/693958#M19802 <P>Hello,</P><P>I used Splunk REST API with Search endpoint to be able to retrieve the latest fired alerts based on a title search.</P><P>I get the fired alerts in alphabetical order but not in chronological order since all the alerts obtained have the default field &lt;updated&gt;1970-01-01T01:00:00+01:00&lt;/updated&gt;.<BR /><BR />Here's the url and query I used :<BR /><A target="_blank" rel="noopener">https://&lt;host&gt;:&lt;mPort&gt;/services/alerts/fired_alerts?search=name%3DSOC%20-*&amp;&amp;sort_dir=desc&amp;sort_key=updated</A></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rest /services/alerts/fired_alerts/ | search title="SOC - *" | sort -updated | table title, updated, triggered_alert_count, author</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31843iE182B0D8DA2E7AF5/image-size/large?v=v2&amp;px=999" role="button" title="splunk.PNG" alt="splunk.PNG" /></span><BR /><BR />Here are the references I used :&nbsp;<BR /><A href="https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTsearch#alerts.2Ffired_alerts" target="_blank" rel="noopener">Search endpoint descriptions - Splunk Documentation</A><BR /><A href="https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTprolog#Pagination_and_filtering_parameters" target="_blank" rel="noopener">Using the REST API reference - Splunk Documentation</A><BR /><SPAN><BR />So, how can I retrieve fired alerts in chronological order with a title search ? Or how can I obtain a field indicating the date the alert was triggered ?</SPAN></P><P>Thanks in advance.</P> Mon, 22 Jul 2024 12:32:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-retrieve-fired-alerts-in-chronological-order/m-p/693958#M19802 av81 2024-07-22T12:32:51Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-retrieve-fired-alerts-in-chronological-order/m-p/693996#M19803 <P>You could use the /services/search/v2/jobs REST endpoint</P><P>&nbsp;</P><LI-CODE lang="markup">| rest /services/search/v2/jobs | search label = "SOC - *" | sort - updated | table label updated author ```add fields as desired```</LI-CODE> Mon, 22 Jul 2024 19:09:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-retrieve-fired-alerts-in-chronological-order/m-p/693996#M19803 marnall 2024-07-22T19:09:22Z