how to pull a list of alerts which is having speci...

iqbalintouch · ‎04-16-2020

Hi,

How can I pull a list or report of alerts which is having any of these specific words?
"purchase" OR "search" OR "booking"

memarshall63 · ‎04-16-2020

Do you mean something like this?:

|rest /servicesNS/-/-/saved/searches 
| table title eai:acl.app eai:acl.owner actions search

So maybe with your criteria, it'd be:

|rest /servicesNS/-/-/saved/searches 
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"

Alerts generally have actions so you could add a filter for those, or there may be other ways to do it:

|rest /servicesNS/-/-/saved/searches 
| search NOT actions="" 
| table title eai:acl.app eai:acl.owner actions search 
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"

to4kawa · ‎04-16-2020

see https://answers.splunk.com/answers/509669/how-to-create-a-dashboard-that-gives-information-a.html

how to pull a list of alerts which is having specific word?

alert condition

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting