Solved: Use REST in search to get trigger times of alerts

aohls · ‎12-11-2020

I am trying to work around not having access to the _internal index; I can't get access at this time. I want to add annotations to a dashboard showing the last time certain alerts triggered. I know how to get an annotation working; I used loadjob but the issue is I can't get historical data accurately it seems. I want to be able to look at the previous day and then see alerts that fired for the time period.

I was doing something like the following; I haven't used REST much and am still exploring it:

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

richgalloway · ‎12-11-2020

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-11-2020

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

---
If this reply helps you, Karma would be appreciated.

aohls · ‎12-11-2020

Looks like this due to user limitations. I tried it on my home search and it seems like it should get what I want.

aohls · ‎12-11-2020

So when doing this I only get one result, using a specific alert I know has fired a few times in the last 4 hours. What I want is to essentially get the historical trigger times of the alert.

I know _audit is the best way; I will not get granted access to this right now though but trying to work around it since the annotations would be very useful.

Use REST in search to get trigger times of alerts

alert action

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!