Dashboards & Visualizations

Saved Searches - Log Events to Existing Index - Not working

iamsgsn
New Member

Hello,

I've created real-time alerts in Splunk Enterprise 7.1.2, and I want to log each triggered event to an index, so I can create a dashboard that shows alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc); however, I cannot get this to work. I'm trying to redirect this to my existing index.

This seems to be not working, and I don't have access to the main index as per my company's policy. Please help me in logging this event to my custom index.

Looking forward to hear from you.

0 Karma

mayurr98
Super Champion

Are you looking to index events which are triggered through alert?
Then :
2) Create a new index
1) Edit the alert you want to index.Go to Trigger Actions and click on + Add Actions
2) click on "Log Event" and specify the index details.

Then you should see triggered events in that index

let me know if this helps!

0 Karma

iamsgsn
New Member

Hello Thanks for the reply.
So you mean to say it won't work with any of the existing indexes? i tried with my existing index and i am not able to query the events after doing the above mentioned steps.
Let me know how can i achieve the same using existing indexes and source types.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you looking for a list of alerts that have triggered recently or something more than that?

For triggered alerts, try | rest/servicesNS/-/-/alerts/fired_alerts| search NOT title="-". This is maintained automatically by Splunk so you don't have to use your own indexing.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...