- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- alert report/search showing triggered devices
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alert report/search showing triggered devices
We have alerts setup which trigger an email when a specific device has triggered. This has been working great and provided good alerting based on threshold below.
The search is below:
index=index1 sourcetype="devices" earliest=-24h latest=now| stats avg(temp) as avg_temp by customer_id | where avg_temp < 15
However a customer wants reporting to show the individual customer/device and how many times it has alerted.Is there any way to report on this as the scheduler.log doesnt provide this granularity for say 3 months triggered alerts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adrianrepublic
You could add the alert action "Output results to lookup". So you have it in a table as long as you need it.
You can then create a report based on this lookup.
Hope it helps
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rnowitzki many thanks for this that could be a great option.
I will set this up and hopefully it produces a report. Would you suggest appending or replacing? I would like to be able to keep a certain amount overtime so appending would make more sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe append and also keep the timestamp. You could setup up another job that removes lines older than x months...
Cheers
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @rnowitzki it seems to have produced the csv which is great.
However because the alert trigger is based on a value over an average over 24 hours and the scheduled alert runs everyday at 9am the timestamp how do i add the timestamp/date to the csv?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @adrianrepublic ,
You could add this at the end of your search, to get a column with today's date:
|eval today=strftime(now(), "%Y-%m-%d")Or this, if you prefer epoch
|eval todayepoch=now()
The field should then be also created in the csv.
Hope that works for you.
BR
Ralph
Karma and/or Solution tagging appreciated.
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
