topic Re: Triggered Alerts Results in Splunk Search

Triggered Alerts Results

abhi22 — Thu, 14 Jan 2021 16:28:22 GMT

Hello,

I'm looking to get the triggered alert results with alert name and triggered time in one table. Being very simple

Column 1 triggered alert name

Column 2 triggered time

Column 3 Results of the triggered alert

Could anyone help me with this

Thanks in Advance

Re: Triggered Alerts Results

richgalloway — Thu, 14 Jan 2021 21:44:33 GMT

We need more information. Based on what's in the question, the best we can offer is

<some search> | table AlertName _time AlertResults

Tell us more about the data and we may be able to add some details.

Re: Triggered Alerts Results

abhi22 — Fri, 15 Jan 2021 14:28:38 GMT

Hello Richgalloway,

I am trying to get the Trigger Alerts dashboard which will show the Alerts which are triggered, I am able to achieve the same using below search query:
index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity | rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity" , Apart from this in another column I also need the results of the triggered alert (events which caused the alert to trigger) or the link which directs to the results of that particular alert . Could you please suggest me on this

Re: Triggered Alerts Results

richgalloway — Fri, 15 Jan 2021 15:31:23 GMT

Alert results are not available via SPL because they are not indexed nor does any REST command expose them.

Re: Triggered Alerts Results

abhi22 — Fri, 15 Jan 2021 15:46:23 GMT

Thank you,

At least when we click on the alert in the dashboard, it should redirect to the results/events which triggered the alert, please suggest if the above is possible and how we can achieve the same

Re: Triggered Alerts Results

richgalloway — Fri, 15 Jan 2021 15:51:42 GMT

I don't have a suggestion other than to use the built-in Triggered Alerts dashboard.