Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cant query triggered alerts from Splunk

ridutta
New Member
‎01-04-2018 08:39 PM

I have few alerts enabled in Splunk and they are added to triggered actions. Now today an alert triggered and its showing under the alert but i cant search the alert metadata using the following query:

index=_audit action="alert_fired"

App: Search and Reporting
Alert Configurede in the same app only. Am i doing someting wrong?

Thanks and Regards,
Rishav

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nikita_p
Contributor
‎01-04-2018 11:18 PM

Hi @ridutta,
Can you try rest api search for this?
|rest /services/search/jobs | search author=admin AND id=*scheduler AND (label= OR )| stats values(earliestTime) AS Time BY label

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ridutta
New Member
‎01-05-2018 12:23 AM

Got it what i wanted. Thanks all!!

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-05-2018 12:15 AM

hey @ridutta

This makes a really good use case for join since the alert threshold is hold in the savedsearch.conf and is accessible over the REST endpoint /services/saved/searches.
You will first need to get the alerts_threshold from REST and join it with the triggered alerts by the title: 

index=_audit action="alert_fired" 
 | rename ss_name AS title 
 | join title [ | rest /services/saved/searches | table title, alert_threshold ] 
 | timechart values(alert_threshold) AS alert_threshold count by title

I hope this works for you!

0 Karma
Reply
Solved! Jump to solution
Solution

nikita_p
Contributor
‎01-04-2018 11:18 PM

Hi @ridutta,
Can you try rest api search for this?
|rest /services/search/jobs | search author=admin AND id=*scheduler AND (label= OR )| stats values(earliestTime) AS Time BY label

0 Karma
Reply
Solved! Jump to solution

ridutta
New Member
‎01-05-2018 12:11 AM

Thanks a lot Nikita.... This kind of worked and I can tweek further. But there are so many columns but I want the specific ones.... How to remove the rest?

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎01-05-2018 12:38 AM

You can remove rest using NOT label=

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 08:53 PM

Hi ridutta,

Could you please tell what information you want regarding alert?

0 Karma
Reply
Solved! Jump to solution

ridutta
New Member
‎01-04-2018 08:57 PM

So what i want is actually to fetch the triggered alert metadata and add it as a dashboard panel for the last 24 hours.
Alert Name and Triggered Time and count will do.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...