Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Report sent after Alert is triggered - is it possible?

tengugurl
New Member
‎07-09-2020 01:26 PM

Hi there!
New user here, I am looking to simplify our troubleshooting work here at work by doing the following:

1) When an Alert is triggered (Regardless of the reason/search parameters)

2) A subsequent report will be sent after the Alert is triggered. (AKA the Search parameters one would be looking to use to better investigate the alert) 

Is this possible?

Labels (1)
Labels
0 Karma
Reply

anilchaithu
Builder
‎07-10-2020 07:36 PM

@tengugurl 

Its quite possible to sent the search parameters (caused alert) to users by choosing "send email" alert action. You can always include job fields as tokens in the email.

This is better option.

anilchaithu_0-1594434394015.png

If you don't want to use this alert actions, you can create savedsearch to search REST end point to get the results of triggered alerts and send an email with the result set.

| rest /services/alerts/fired_alerts

 

Hope this helps

0 Karma
Reply

tengugurl
New Member
‎07-13-2020 12:41 PM

Hi @anilchaithu 
thanks for the thoughtful reply.
I love this idea, and have currently been adding the search parameters to the email action but was thinking of adding a separate search parameter as a follow up.

E.g Alert triggered (Your service is unfire!) separate report triggers that shows the HTTP status codes for the past hour. (Just to see how unfire it really is in comparison)

hmm I am curious on the second option you provided:

| rest /services/alerts/fired_alerts

Does this sound offbase?

Imagine I made a search that was:
index=ABC source=X |timechart count by status
then added 
| rest/services/alerts/named_alert

E.g 

index=ABC source=X |timechart count by status|rest/services/alerts/named_alert

 

I would get the email with the timechart of status when "named_alert" triggers?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...