Saved Searches - Log Events to Existing Index - No...

iamsgsn · ‎01-22-2019

Hello,

I've created real-time alerts in Splunk Enterprise 7.1.2, and I want to log each triggered event to an index, so I can create a dashboard that shows alerts over time. The task seems pretty straight forward ( create alert, add action, log event, etc); however, I cannot get this to work. I'm trying to redirect this to my existing index.

This seems to be not working, and I don't have access to the main index as per my company's policy. Please help me in logging this event to my custom index.

Looking forward to hear from you.

mayurr98 · ‎01-23-2019

Are you looking to index events which are triggered through alert?
Then :
2) Create a new index
1) Edit the alert you want to index.Go to Trigger Actions and click on + Add Actions
2) click on "Log Event" and specify the index details.

Then you should see triggered events in that index

let me know if this helps!

iamsgsn · ‎01-23-2019

Hello Thanks for the reply.
So you mean to say it won't work with any of the existing indexes? i tried with my existing index and i am not able to query the events after doing the above mentioned steps.
Let me know how can i achieve the same using existing indexes and source types.

richgalloway · ‎01-22-2019

Are you looking for a list of alerts that have triggered recently or something more than that?

For triggered alerts, try | rest/servicesNS/-/-/alerts/fired_alerts| search NOT title="-". This is maintained automatically by Splunk so you don't have to use your own indexing.

---
If this reply helps you, Karma would be appreciated.

Saved Searches - Log Events to Existing Index - Not working

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!