Dashboards & Visualizations

Saved Searches - Log Events to Existing Index - Not working

iamsgsn
New Member

Hello,

I've created real-time alerts in Splunk Enterprise 7.1.2, and I want to log each triggered event to an index, so I can create a dashboard that shows alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc); however, I cannot get this to work. I'm trying to redirect this to my existing index.

This seems to be not working, and I don't have access to the main index as per my company's policy. Please help me in logging this event to my custom index.

Looking forward to hear from you.

0 Karma

mayurr98
Super Champion

Are you looking to index events which are triggered through alert?
Then :
2) Create a new index
1) Edit the alert you want to index.Go to Trigger Actions and click on + Add Actions
2) click on "Log Event" and specify the index details.

Then you should see triggered events in that index

let me know if this helps!

0 Karma

iamsgsn
New Member

Hello Thanks for the reply.
So you mean to say it won't work with any of the existing indexes? i tried with my existing index and i am not able to query the events after doing the above mentioned steps.
Let me know how can i achieve the same using existing indexes and source types.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you looking for a list of alerts that have triggered recently or something more than that?

For triggered alerts, try | rest/servicesNS/-/-/alerts/fired_alerts| search NOT title="-". This is maintained automatically by Splunk so you don't have to use your own indexing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...