Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Good search for alerts that haven't triggered in at least a month?

aberkow
Builder
‎12-06-2019 07:18 AM

I basically want to audit the many dozen infrastructure alerts we have to see which ones aren't firing (this doesn't necessarily mean somethings wrong, but is good information to have in a digest). Anyone have a search they use for this or a similar idea?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 01:01 PM

You may have to extend index retention or artifact TTL but here are your options:

index="_audit" action="alert_fired"

OR:

|rest/servicesNS/-/-/alerts/fired_alerts

OR (you can see alert_actions here):

index="_internal" sourcetype="scheduler" thread_id="*" app="*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 01:01 PM

You may have to extend index retention or artifact TTL but here are your options:

index="_audit" action="alert_fired"

OR:

|rest/servicesNS/-/-/alerts/fired_alerts

OR (you can see alert_actions here):

index="_internal" sourcetype="scheduler" thread_id="*" app="*"
0 Karma
Reply
Solved! Jump to solution

aberkow
Builder
‎12-19-2019 10:44 AM

Building off of @woodcock's suggestion, ended up with something like this, still thinking about the where clause or triggering condition though:

index="_audit" action="alert_fired" earliest=-13d user={userYouCareAbout1 OR userYouCareAbout2}
| bin _time span=7d as week 
| stats count by action, ss_name, week 
| eventstats max(week) as latestWeek, min(week) as earliestWeek 
| eval latestWeek=if(week=latestWeek, count, null()), 
       earliestWeek=if(week=earliestWeek,count, null())
| stats values(earliestWeek) as earliestWeekCount, values(latestWeek) as latestWeekCount by ss_name
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-21-2019 08:25 PM

In Alerts for Splunk Admins I did (github link):
SearchHeadLevel - Alerts that have not fired an action in X days

However the audit logs might be more accurate as I haven't used this query in years...

index=_internal source="*scheduler.log" sourcetype=scheduler `searchheadhosts` alert_actions!="" 
| rex ", app=\"(?P<app>[^\"]+)\","
| stats count by savedsearch_name, app 
| append 
    [| rest splunk_server=local /servicesNS/-/-/saved/searches 
    | search actions!="summary_index" actions!="" next_scheduled_time!="" search!="| noop" 
    | table eai:acl.app, title 
    | eval fromRESTQuery=""
    | rename title as savedsearch_name, eai:acl.app as app ]
| eventstats count(eval(isnotnull(fromRESTQuery))) AS restCount, count by savedsearch_name, app
| where restCount=1 AND count=1
| table savedsearch_name, app
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...