Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a possible way to easily correlate alert metadata and search logs?

doronca
Explorer
‎06-12-2019 12:36 AM

Hi There,

I've created several alerts with "search & reporting" splunk app. I set the alert action both "alert manager" app and "add to triggered alert" which resulted in logs that contains the alert metadata such as name and creation time.

I would like to join the raw data (search query data) with the alert metadata, however, I couldn't find even a single common field between the 2 log sources.

As a workaround I've added another action to my alert - "log event", and customize an event that contains fields that is shared among both the raw data (search query logs) and the alert metadata logs. This works, but it doesn't feel like the most elegant solution.

I wonder if anyone have encountered similar problem or have an idea how to correlate between "alert manager" metadata logs and search query logs?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...