Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

What is the query string to create an alert to trigger when another user creates an alert?

jordanm
New Member
‎04-30-2020 10:51 AM

Hello -

We are trying to determine how to create an alert to tell us when other users create alerts. I'm aware this is somewhat recursive thinking.

index=internal sourcetype=scheduler user=maidman | eval isrealtime=if(searchmatch("sid=rt* OR concurrencycategory=real-timescheduled"),"yes","no")
|table savedsearchname, user, datehour, date_minute

Tells me when an alert ran but not the creation date.

Labels (1)
0 Karma
Reply
Highlighted

Re: What is the query string to create an alert to trigger when another user creates an alert?

renjujacob88
Path Finder
‎05-22-2020 12:27 PM

The logic below populates all the alerts to the testalerttrack lookup and display the alerts which are created within one day.

|rest splunkserver=local /servicesNS/-/search/saved/searches | search alert.track=1
| eval updated = strptime(updated,"%Y-%m-%dT%H:%M:%S")
| stats max(updated) as lastTime min(updated) as firsTime values(author) as author values(alert.track) as alert.track by title
| inputlookup append=t testalerttrack.csv
| stats min(firsTime) as firsTime max(lastTime) as lastTime values(author) as author values(alert.track) as alert.track by title
| outputlookup testalert_track.csv
| search author!=nobody
| where now()-firsTime < 86400

0 Karma
Reply