Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use REST in search to get trigger times of alerts

aohls
Contributor
‎12-11-2020 07:11 AM

I am trying to work around not having access to the _internal index; I can't get access at this time. I want to add annotations to a dashboard showing the last time certain alerts triggered. I know how to get an annotation working; I used loadjob but the issue is I can't get historical data accurately it seems. I want to be able to look at the previous day and then see alerts that fired for the time period. 

 

I was doing something like the following; I haven't used REST much and am still exploring it:

 

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2020 07:31 AM

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2020 07:31 AM

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎12-11-2020 07:58 AM

Looks like this due to user limitations. I tried it on my home search and it seems like it should get what I want.

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎12-11-2020 07:37 AM

So when doing this I only get one result, using a specific alert I know has fired a few times in the last 4 hours. What I want is to essentially get the historical trigger times of the alert.

 

I know _audit is the best way; I will not get granted access to this right now though but trying to work around it since the annotations would be very useful.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...