Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use REST in search to get trigger times of alerts

aohls
Contributor
‎12-11-2020 07:11 AM

I am trying to work around not having access to the _internal index; I can't get access at this time. I want to add annotations to a dashboard showing the last time certain alerts triggered. I know how to get an annotation working; I used loadjob but the issue is I can't get historical data accurately it seems. I want to be able to look at the previous day and then see alerts that fired for the time period. 

 

I was doing something like the following; I haven't used REST much and am still exploring it:

 

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2020 07:31 AM

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-11-2020 07:31 AM

What results did you expect from that query and what results did you get?

Have you tried this?

|rest /servicesNS/-/-/searches
|join title
[| rest /servicesNS/-/-/alerts/fired_alerts]

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎12-11-2020 07:58 AM

Looks like this due to user limitations. I tried it on my home search and it seems like it should get what I want.

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎12-11-2020 07:37 AM

So when doing this I only get one result, using a specific alert I know has fired a few times in the last 4 hours. What I want is to essentially get the historical trigger times of the alert.

 

I know _audit is the best way; I will not get granted access to this right now though but trying to work around it since the annotations would be very useful.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...