how can I do to create one search when I can see t...

samir_silva · ‎09-22-2015

Hello.

Can you help me?

how can I do to create one search when I can see the severity of the alert?

for example:

Alert severity count
Brute Force High 45
PortScan low 42
Create User info 2
Delete User medium 15

Thanks

gcato · ‎09-22-2015

Hi Samir,

You can use the REST API to get this result. For example:

| rest /services/alerts/fired_alerts/-
 |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
 |eval severity = case(severity==1, "Info",
                       severity==2, "Low",
                       severity==3, "Medium",
                       severity==4, "High",
                       severity==5, "Critical")
 |rename savedsearch_name AS Alert
 |table Alert severity count

Hope this helps.

samir_silva · ‎09-24-2015

Tranks for help,

My finish search.

| rest https://localhost:8089/servicesNS/your-user/-/alerts/fired_alerts/- |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
|eval severity = case(severity==1, "Info",
severity==2, "Low",
severity==3, "Medium",
severity==4, "High",
severity==5, "Critical")
|rename savedsearch_name AS Alert
|table Alert severity count
|sort - count

how can I do to create one search when I can see the severity of the alert?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio