Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to export a list of triggered alerts to CSV based on the name of the scheduled search that triggered them.

cdo_splunk
Splunk Employee
Splunk Employee
‎02-03-2015 12:06 PM

How to export splunk alert name only from search to excel csv format?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-03-2015 12:18 PM

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-03-2015 12:18 PM

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

Reply
Solved! Jump to solution

twinspop
Influencer
‎02-20-2015 03:35 PM

This works great for single search environments. But with pooled search heads, I only see the triggered alerts on the search head I happen to be landing on. (I don't have a search head cluster set-up yet to test. Does this behavior change?)

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎08-15-2016 05:13 AM

In Splunk cloud with more than 1 search head, would this approach still work to get all the fired alerts?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...