Alerting

Why audit for alerts doesn't record private alerts?

danielbb
Motivator

Based on How to produce an alert invocations report?

index=_audit action=alert_fired doesn't seem to show private alerts that got fired. Does it make sense?

Tags (1)
0 Karma
1 Solution

danielbb
Motivator

@richgalloway, it was because the alert didn't have the Add to Triggered Alerts action at What does the Add to Triggered Alerts action do for an alert?

View solution in original post

0 Karma

danielbb
Motivator

@richgalloway, it was because the alert didn't have the Add to Triggered Alerts action at What does the Add to Triggered Alerts action do for an alert?

View solution in original post

0 Karma

Sukisen1981
Champion

@danielbb please convert your comment to an answer n accept it as it has resolved your issue 🙂

0 Karma

danielbb
Motivator

Thanks @Sukisen1981.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps because the alert is private? Perhaps because _audit leaves something to be desired.
Have you looked in _internal for the information you seek?

---
If this reply helps you, an upvote would be appreciated.
0 Karma