Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I include the host field in my real-time alert

danieldu
Engager
‎01-07-2015 09:27 AM

The Alert:

(host="x.x.x.254" OR host="x.x.x.253" OR host="x.x.x.54" OR host="x.x.x.253") "%PIM-5-NBRCHG" DOWN interface "port-channel*"

The Output:

2015-01-07T10:01:29-0500 <189>294832: 307113: Jan 7 10:01:29 EST: %PIM-5-NBRCHG: neighbor x.x.x.73 DOWN on interface Port-channel15 non DR

So the alert is fine, but how do I know which of the four host its coming from, need to see "host" with the alert. New to this, so appreciate the help.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-07-2015 09:50 AM

If you're showing the raw event in the alert email, add following to the end if the alert search

| table host, _raw

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-07-2015 09:50 AM

If you're showing the raw event in the alert email, add following to the end if the alert search

| table host, _raw

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...