Alerting

how can I do to create one search when I can see the severity of the alert?

samir_silva
New Member

Hello.

Can you help me?

how can I do to create one search when I can see the severity of the alert?

for example:

Alert severity count
Brute Force High 45
PortScan low 42
Create User info 2
Delete User medium 15

Thanks
alt text
alt text

Tags (2)
0 Karma

gcato
Contributor

Hi Samir,

You can use the REST API to get this result. For example:

| rest /services/alerts/fired_alerts/-
 |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
 |eval severity = case(severity==1, "Info",
                       severity==2, "Low",
                       severity==3, "Medium",
                       severity==4, "High",
                       severity==5, "Critical")
 |rename savedsearch_name AS Alert
 |table Alert severity count

Hope this helps.

samir_silva
New Member

Tranks for help,

My finish search.

| rest https://localhost:8089/servicesNS/your-user/-/alerts/fired_alerts/- |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
|eval severity = case(severity==1, "Info",
severity==2, "Low",
severity==3, "Medium",
severity==4, "High",
severity==5, "Critical")
|rename savedsearch_name AS Alert
|table Alert severity count
|sort - count

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...