- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: alert report/search showing triggered devices
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alert report/search showing triggered devices
We have alerts setup which trigger an email when a specific device has triggered. This has been working great and provided good alerting based on threshold below.
The search is below:
index=index1 sourcetype="devices" earliest=-24h latest=now| stats avg(temp) as avg_temp by customer_id | where avg_temp < 15
However a customer wants reporting to show the individual customer/device and how many times it has alerted.Is there any way to report on this as the scheduler.log doesnt provide this granularity for say 3 months triggered alerts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adrianrepublic
You could add the alert action "Output results to lookup". So you have it in a table as long as you need it.
You can then create a report based on this lookup.
Hope it helps
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rnowitzki many thanks for this that could be a great option.
I will set this up and hopefully it produces a report. Would you suggest appending or replacing? I would like to be able to keep a certain amount overtime so appending would make more sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe append and also keep the timestamp. You could setup up another job that removes lines older than x months...
Cheers
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @rnowitzki it seems to have produced the csv which is great.
However because the alert trigger is based on a value over an average over 24 hours and the scheduled alert runs everyday at 9am the timestamp how do i add the timestamp/date to the csv?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adrianrepublic ,
You could add this at the end of your search, to get a column with today's date:
|eval today=strftime(now(), "%Y-%m-%d")Or this, if you prefer epoch
|eval todayepoch=now()
The field should then be also created in the csv.
Hope that works for you.
BR
Ralph
Karma and/or Solution tagging appreciated.
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration
