Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

alert report/search showing triggered devices

adrianrepublic
Explorer
‎10-14-2020 04:11 AM

We have alerts setup which trigger an email when a specific device has triggered. This has been working great and provided good alerting based on threshold below. 

The search is below:

index=index1 sourcetype="devices" earliest=-24h latest=now| stats avg(temp) as avg_temp by customer_id | where avg_temp < 15

However a customer wants reporting to show the individual customer/device and how many times it has alerted.Is there any way to report on this as the scheduler.log doesnt provide this granularity for say 3 months triggered alerts?

 

Labels (1)
Labels
Tags (2)
Preview file
43 KB
0 Karma
Reply

rnowitzki
Builder
‎10-14-2020 04:17 AM

Hi  @adrianrepublic 

You could add the alert action "Output results to lookup". So you have it in a table as long as you need it.
You can then create a report based on this lookup.

Hope it helps
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

adrianrepublic
Explorer
‎10-14-2020 07:01 AM

Hi @rnowitzki many thanks for this that could be a great option.

 

I will set this up and hopefully it produces a report. Would you suggest appending or replacing? I would like to be able to keep a certain amount overtime so appending would make more sense.

0 Karma
Reply

rnowitzki
Builder
‎10-14-2020 07:05 AM

Maybe append and also keep the timestamp. You could setup up another job that removes lines older than x months...

Cheers

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

adrianrepublic
Explorer
‎10-16-2020 05:36 AM

hi @rnowitzki  it seems to have produced the csv which is great.

 

However because the alert trigger is based on a value over an average over 24 hours and the scheduled alert runs everyday at 9am the timestamp how do i add the timestamp/date to the csv?

0 Karma
Reply

rnowitzki
Builder
‎10-16-2020 06:06 AM

Hi @adrianrepublic ,

You could add this at the end of your search, to get a column with today's date:

|eval today=strftime(now(), "%Y-%m-%d")

Or this, if you prefer epoch

|eval todayepoch=now()


The field should then be also created in the csv.

Hope that works for you.
BR
Ralph 

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...