Use REST for alert information

aohls · ‎11-19-2020

I am using the rest services within the search to get information on alerts that have triggered. I am trying to piece together alert information and can find most of it. What I am unable to find; maybe not knowing all the fields, is the trigger time. I see that fired_alerts has the next_scheduled_time but I don't see that it has the triggered time. I do not have access to _index so I am working on getting some of this information here if possible.

richgalloway · ‎11-19-2020

The unintuitive place to find that is in the triggered_alert_count field in | rest /services/saved/searches

---
If this reply helps you, Karma would be appreciated.

aohls · ‎11-19-2020

This tells the count for the alert but not the time.

richgalloway · ‎11-20-2020

Sorry for providing the wrong information.

The trigger_time field is not returned as part of the general alerts/fired-alerts query. You get it only when you request information about a specific alert name.

---
If this reply helps you, Karma would be appreciated.

Use REST for alert information

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Use REST for alert information

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience