topic Re: Use REST in search to get trigger times of alerts in Alerting

Use REST in search to get trigger times of alerts

aohls — Fri, 11 Dec 2020 15:13:26 GMT

I am trying to work around not having access to the _internal index; I can't get access at this time. I want to add annotations to a dashboard showing the last time certain alerts triggered. I know how to get an annotation working; I used loadjob but the issue is I can't get historical data accurately it seems. I want to be able to look at the previous day and then see alerts that fired for the time period.

I was doing something like the following; I haven't used REST much and am still exploring it:

|rest /servicesNS/-/-/searches |join title [| rest /servicesNS/-/-/alerts/fired_alerts]

Re: Use REST in search to get trigger times of alerts

richgalloway — Fri, 11 Dec 2020 15:31:21 GMT

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches |join title [| rest /servicesNS/-/-/alerts/fired_alerts]

Re: Use REST in search to get trigger times of alerts

aohls — Fri, 11 Dec 2020 15:37:21 GMT

So when doing this I only get one result, using a specific alert I know has fired a few times in the last 4 hours. What I want is to essentially get the historical trigger times of the alert.

I know _audit is the best way; I will not get granted access to this right now though but trying to work around it since the annotations would be very useful.

Re: Use REST in search to get trigger times of alerts

aohls — Fri, 11 Dec 2020 15:58:20 GMT

Looks like this due to user limitations. I tried it on my home search and it seems like it should get what I want.