to provide the list of P1C alerts for JMET cluste...

Splunk-Star · ‎08-13-2024

There is a request to provide the list of P1C alerts for JMET cluster from Splunk
we have provided the following query, but user wants only priority will be P1C

| rest /servicesNS/-/-/saved/searches
| table title, eai:acl.owner, search, actions, action.apple_alertaction *

This query is giving all the alerts configured but we want only P1C alerts.

Its urgent.

deepakc · ‎08-14-2024

I suspect you want to know about priority alerts, but how will Splunk magically know about this?

Its always better to give good context to the Splunk communiy, so what is P1C? and JMET sounds like some internal Splunk environment company code (which you should anonymise)

Unless you have say for instance in the saved search title name P1C, example, my_search_P1C, Splunk will not be able to find it or filter on it.

Or you will need to use the eval command and for each saveded that you know is a P1C and assign a eval field called priority, but will require a lot of work.

Tip: As ever its always best practise to have good business naming conventions, makes things easier in the long run

Example using makeresults to assign PC1

| makeresults count=2
| streamstats count as search_num
| eval title=case(search_num=1, "my_savedsearch1", search_num=2, "my_savedsearch2")
| eval priority=if(title=="my_savedsearch1", "P1C", null())
| fields - search_num

to provide the list of P1C alerts for JMET cluster from Splunk

search head clustering

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)