Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to produce an alert invocations report?

danielbb
Motivator
‎08-07-2019 10:06 AM

We are not sure what's going on with our cyber alerts and @gcusello assisted at Is there a way to inspect an alert?

Is there a way to produce an alerts invocations report? A report that would show how many times each alert was fired.

alt text

In the Searches, Reports, and Alerts page, we see the Alerts count - for which time period is it?

Tags (2)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎08-07-2019 01:50 PM

Based on your screenshot, these are saved as triggered alerts (since the Alerts column is not zero). This query will identify all triggered alerts:

index=_audit action=alert_fired

It will also give you the fields ss_app and ss_name (name of the Alert) if that is useful for you.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎08-07-2019 01:50 PM

Based on your screenshot, these are saved as triggered alerts (since the Alerts column is not zero). This query will identify all triggered alerts:

index=_audit action=alert_fired

It will also give you the fields ss_app and ss_name (name of the Alert) if that is useful for you.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Solved! Jump to solution

danielbb
Motivator
‎08-09-2019 08:34 AM

Thank you @jacobevans.

Using your query I found out that there were 91 invocations of a certain alert during a two hour span.

The alert type is Real-time
The Trigger alert when is Per-Result
and Throttle is not checked out

I wonder what we do wrong here. I guess throttling should help - Throttle alerts

However, on 7/30 we had 91 such alerts. I searched the data for that day using the query from the alert and only 8 events came back.

It doesn't make much sense....

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎08-15-2019 05:32 PM

I'm guessing here, but I think you're seeing 91 emails (that's what you mean by alerts?), but there were only 8 events because it was only triggered 8 times, but there were many more emails due to the per-result part of the alert.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Solved! Jump to solution

danielbb
Motivator
‎08-16-2019 06:34 AM

I opened a bug report with Support. You see, the moment I changed it to index_earliest=-15m _index_latest=now index=your index | rest of the stuff on a 15 minute cron job, It works perfectly fine.

At Why are we getting excessive number of alerts?

0 Karma
Reply
Solved! Jump to solution

danielbb
Motivator
‎08-14-2019 06:26 AM

A follow up on this one at Why audit for alerts doesn't record private alerts?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...