REST API Doesn’t Return All Alerts From the _audit Index


Hi everyone,

I'm checking the alerts via REST API (/servicesNS/e524067/-/alerts/fired_alerts/-) and what I get is consistent with what is shown in Triggered Alerts view. However, if I do a search index=_audit action=alert_fired, I see the same alerts I get via REST but also some other alerts. I checked the expiration and trigger times, those extra alerts are fairly new and have not expired yet. What is the reason for this inconsistency?


Krunoslav Ivesic

Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...