Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the query string to create an alert to trigger when another user creates an alert?

jordanm
Observer
‎04-30-2020 10:51 AM

Hello -

We are trying to determine how to create an alert to tell us when other users create alerts. I'm aware this is somewhat recursive thinking.

index=_internal sourcetype=scheduler user=maidman | eval is_realtime=if(searchmatch("sid=rt* OR concurrency_category=real-time_scheduled"),"yes","no")
|table savedsearch_name, user, date_hour, date_minute

Tells me when an alert ran but not the creation date.

Labels (1)
Labels
0 Karma
Reply

renjujacob88
Path Finder
‎05-22-2020 12:27 PM

The logic below populates all the alerts to the test_alert_track lookup and display the alerts which are created within one day.

|rest splunk_server=local /servicesNS/-/search/saved/searches | search alert.track=1
| eval updated = strptime(updated,"%Y-%m-%dT%H:%M:%S")
| stats max(updated) as lastTime min(updated) as firsTime values(author) as author values(alert.track) as alert.track by title
| inputlookup append=t test_alert_track.csv
| stats min(firsTime) as firsTime max(lastTime) as lastTime values(author) as author values(alert.track) as alert.track by title
| outputlookup test_alert_track.csv
| search author!=nobody
| where now()-firsTime < 86400

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!