https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346835#M165359 <P>I run this search: index=_audit action=fired_alert</P> <P>I get back this which looks like properties of the alert.<BR /> Audit:[timestamp=11-08-2017 06:52:57.231, id=35143213, user=admin, action=alert_fired, ss_user="nobody", ss_app="search", ss_name="RDP by GenericID Prod", sid="rt_scheduler_<EM>admin</EM><EM>search</EM>_RMD5cf6dac5adc7385e1_at_1510141830_38328.0", alert_actions="email,notable,resilient", severity=3, trigger_time=1510141971, expiration=1510228377, digest_mode=0, triggered_alerts=1][OhxQLHMR0bgxLAaqfsIRoIsoknIp5H1APZ24P4Hm/9FDp8O0VT46WEsP+yLAPbuHYNBkjd8X2/Lu4tVXmqLy+d738KZDjCqFTCu9WcwwILDA97uAfDes/bqw0KamiumItENPlXSQkZIGLfuULHuVoBWOdWrIDF5MMp2y19XsXps=]</P> <P>The search for the alert looks like this:<BR /> index="wineventlog" EventCode=4648 Logon_ID=0x3e7 Process_Name="C:\Windows\System32\winlogon.exe" [ | inputlookup serts-prod.csv | rename genid as user_identity | table user_identity] | eval discovered_date=ceil(_time) * 1000| fields host, user, Account_Domain, discovered_date</P> <P>How do I get values in the field statement? it should be my username, my workstation and my logon domain.</P> <P>Thanks!</P> Tue, 29 Sep 2020 16:35:48 GMT pfabrizi 2020-09-29T16:35:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346835#M165359 <P>I run this search: index=_audit action=fired_alert</P> <P>I get back this which looks like properties of the alert.<BR /> Audit:[timestamp=11-08-2017 06:52:57.231, id=35143213, user=admin, action=alert_fired, ss_user="nobody", ss_app="search", ss_name="RDP by GenericID Prod", sid="rt_scheduler_<EM>admin</EM><EM>search</EM>_RMD5cf6dac5adc7385e1_at_1510141830_38328.0", alert_actions="email,notable,resilient", severity=3, trigger_time=1510141971, expiration=1510228377, digest_mode=0, triggered_alerts=1][OhxQLHMR0bgxLAaqfsIRoIsoknIp5H1APZ24P4Hm/9FDp8O0VT46WEsP+yLAPbuHYNBkjd8X2/Lu4tVXmqLy+d738KZDjCqFTCu9WcwwILDA97uAfDes/bqw0KamiumItENPlXSQkZIGLfuULHuVoBWOdWrIDF5MMp2y19XsXps=]</P> <P>The search for the alert looks like this:<BR /> index="wineventlog" EventCode=4648 Logon_ID=0x3e7 Process_Name="C:\Windows\System32\winlogon.exe" [ | inputlookup serts-prod.csv | rename genid as user_identity | table user_identity] | eval discovered_date=ceil(_time) * 1000| fields host, user, Account_Domain, discovered_date</P> <P>How do I get values in the field statement? it should be my username, my workstation and my logon domain.</P> <P>Thanks!</P> Tue, 29 Sep 2020 16:35:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346835#M165359 pfabrizi 2020-09-29T16:35:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346836#M165360 <P>You have the SID of the search that triggered the alert -rt_scheduler_<EM>admin</EM><EM>search</EM>_RMD5cf6dac5adc7385e1_at_1510141830_38328.0 </P> <P>Then use one of the endpoints (/services/search/jobs, /services/search/jobs/{search_id}/results) to get the search results using the SID.</P> Tue, 29 Sep 2020 16:39:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346836#M165360 akheraj_splunk 2020-09-29T16:39:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346837#M165361 <P>I did this, but not sure this is the best approach.<BR /> "search index=_audit action=alert_fired earliest=startingDate latest=endingDate | map search=" |loadjob sid"</P> <P>I use a starting and ending date so I am only searching on a time frame when the alert happened and not the entire time frame.</P> <P>I am using the C# SDK, but is what you listed above a more efficient method?</P> <P>Thanks!</P> Tue, 29 Sep 2020 16:45:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-get-the-event-associated-to-a-fired-alert/m-p/346837#M165361 pfabrizi 2020-09-29T16:45:00Z