Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

alert report/search showing triggered devices

adrianrepublic
Explorer
‎10-14-2020 04:11 AM

We have alerts setup which trigger an email when a specific device has triggered. This has been working great and provided good alerting based on threshold below. 

The search is below:

index=index1 sourcetype="devices" earliest=-24h latest=now| stats avg(temp) as avg_temp by customer_id | where avg_temp < 15

However a customer wants reporting to show the individual customer/device and how many times it has alerted.Is there any way to report on this as the scheduler.log doesnt provide this granularity for say 3 months triggered alerts?

 

Labels (1)
Labels
Tags (2)
Preview file
43 KB
0 Karma
Reply

rnowitzki
Builder
‎10-14-2020 04:17 AM

Hi  @adrianrepublic 

You could add the alert action "Output results to lookup". So you have it in a table as long as you need it.
You can then create a report based on this lookup.

Hope it helps
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

adrianrepublic
Explorer
‎10-14-2020 07:01 AM

Hi @rnowitzki many thanks for this that could be a great option.

 

I will set this up and hopefully it produces a report. Would you suggest appending or replacing? I would like to be able to keep a certain amount overtime so appending would make more sense.

0 Karma
Reply

rnowitzki
Builder
‎10-14-2020 07:05 AM

Maybe append and also keep the timestamp. You could setup up another job that removes lines older than x months...

Cheers

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

adrianrepublic
Explorer
‎10-16-2020 05:36 AM

hi @rnowitzki  it seems to have produced the csv which is great.

 

However because the alert trigger is based on a value over an average over 24 hours and the scheduled alert runs everyday at 9am the timestamp how do i add the timestamp/date to the csv?

0 Karma
Reply

rnowitzki
Builder
‎10-16-2020 06:06 AM

Hi @adrianrepublic ,

You could add this at the end of your search, to get a column with today's date:

|eval today=strftime(now(), "%Y-%m-%d")

Or this, if you prefer epoch

|eval todayepoch=now()


The field should then be also created in the csv.

Hope that works for you.
BR
Ralph 

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...