- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Splunk Alert: how to retrieve search query and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Alert: how to retrieve search query and results from previous trigger
I'm looking for a way to retrieve information from alert triggers that ran few days ago. info needed are : search query, time filter used for the query and query result. reason is that we are getting alert today that contains data that are days ago. thanks in advance for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please click the setting at the right side top then click searches,report and alert
then enter the alert name in the filter and search
get the alert, here you can get query,time when it trigger etc
there is option "view recent search" just click it
here you can export the result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try and check in the _audit index or if still within time frame hit the "activity" dropdown on top tight and click "triggered alerts"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @adonio i got the event from the _audit and by clicking the 'event actions'--> 'show source' i was able to get more information. How can i extract the data below but dont know how to extract the actual search details for both of these events.
Audit:[timestamp=05-30-2018 01:26:40.497, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_ZG9uLnBhdHJpY2subi5wZXBpdG8_search_RMD59eb0161499e9b71c_at_1527059197_2.17][n/a]
Audit:[timestamp=05-30-2018 01:26:40.726, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_ZG9uLnBhdHJpY2subi5wZXBpdG8_search_RMD59eb0161499e9b71c_at_1527059197_2.18][n/a]
Can you please help me extracting the search query of these events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try and search in the _internal or _audit indexes for the ZG9uLnBhdHJpY2subi5wZXBpdG8
search in verbose and look at the fields on the left. see if you have values for the field savedsearchname or something similar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for sharing...jobs were expired which probably the reason i'm having a hard time finding it...
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
