I have created alerts based on use case for e.g. failed authentications. These alerts pertain to different data sources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the internal index. I want to display the count of these alerts on a dashboard. Currently I am doing this by using the savedsearchname field and correlating against the :Failed-auth" in the name as follows:
However, this makes me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to the _internal index. I know you can do this using summary indexing, but customer doesn't want to use summary indexing ..Any suggestions?