Getting Data In

I have a dashboard showing a list of triggered alerts, but how can I include information about the host that triggered the alert?

gcusello
Legend

Hi at all,

I showed the triggered alerts on a dashboard using a search on the _internal index and source="/opt/splunk/var/log/splunk/scheduler.log", after I connected results to a REST extraction to enrich information from savedsearch.

My problem is to have the information about the host triggered by alert, because in my search, the only host is the Search Head, but I need the hostname of the alerted host.
Can I have it?
Thank you in advance.
Bye.
Giuseppe

0 Karma

javiergn
SplunkTrust
SplunkTrust

If I understand correctly, you want to know the host that generated the log that triggered your alert, is that correct?
That host should be in the host field of your originating event and therefore, when you create the alert you just need to include the host name there.

You can even pass the host name in the subject field of your alert. See this.

Hope that helps,
J

0 Karma

gcusello
Legend

I don't need to pass the hostname to an eMail as a token, my problem is to have it in a search that shows all the alerts triggered in a period.
I have the triggered alerts list with a search like this:
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" result_count>0 | table _time thread_id app savedsearch_name result_count | join savedsearch_name [| rest /services/saved/searches | dedup search | table author eai:acl.app title alert.severity is_scheduled id qualifiedSearch dispatch.earliest_time | rename dispatch.earliest_time AS timerange title AS savedsearch_name eai:acl.app AS app| fields author app savedsearch_name alert.severity timerange] ...
But the problem is that hostname isn't in this search result.
It's in the alerts result but I don't know how to connect this result to my search.

0 Karma

javiergn
SplunkTrust
SplunkTrust

I see. I know you can include tokens in the alert title within Enterprise Security when creating notable events. Simply add $host$ or $result.hostname$ or whatever the field name you want to use to the title and then search it and join it with:

| rest /services/saved/searches | table title

But I don't know if this is going to work outside ES.

Some other options I can think of:

  • Use the collect command and send the alert information (including the host) to a summary index that you can later on search on and present.
  • Your alert could trigger an email that includes the hostname in the subject or body. You can later on download those emails using an app such as the IMAP one
  • Your alert could trigger an script that gets all the information required via tokens and then outputs that into a CSV file that you can later on read with an inputlookup

Hope that helps. I don't know any other way of doing it.

Regards,
J

0 Karma

gcusello
Legend

maybe it could be possible to extract hostname executing the alert search in a subsearch.
I'll try this..

0 Karma

jkat54
SplunkTrust
SplunkTrust

Trying to understand you...

The alert is triggered on SEARCH HEAD B, and then a dashboard on SEARCH HEAD A will display that SEARCH HEAD B triggered the alert / ran the search that triggered the alert?

OR did you mean this

The alert is triggered on SEARCH HEAD A, and then a dashboard on SEARCH HEAD A will display that SERVER A was beyond thresholds and caused the search to trigger the alert.

0 Karma

gcusello
Legend

I have only one Search Head, but I'd like to have the hostname of the Universal Forwarder that sent the log triggered in the alert.
I have it in my alert results but I don't know how to take it and insert in my dashboard that takes triggered alerts from "_internal" index and REST savedsearches.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!