to provide the list of P1C alerts for JMET cluste...

Splunk-Star · ‎08-13-2024

There is a request to provide the list of P1C alerts for JMET cluster from Splunk
we have provided the following query, but user wants only priority will be P1C

| rest /servicesNS/-/-/saved/searches
| table title, eai:acl.owner, search, actions, action.apple_alertaction *

This query is giving all the alerts configured but we want only P1C alerts.

Its urgent.

deepakc · ‎08-14-2024

I suspect you want to know about priority alerts, but how will Splunk magically know about this?

Its always better to give good context to the Splunk communiy, so what is P1C? and JMET sounds like some internal Splunk environment company code (which you should anonymise)

Unless you have say for instance in the saved search title name P1C, example, my_search_P1C, Splunk will not be able to find it or filter on it.

Or you will need to use the eval command and for each saveded that you know is a P1C and assign a eval field called priority, but will require a lot of work.

Tip: As ever its always best practise to have good business naming conventions, makes things easier in the long run

Example using makeresults to assign PC1

| makeresults count=2
| streamstats count as search_num
| eval title=case(search_num=1, "my_savedsearch1", search_num=2, "my_savedsearch2")
| eval priority=if(title=="my_savedsearch1", "P1C", null())
| fields - search_num

to provide the list of P1C alerts for JMET cluster from Splunk

search head clustering

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?