Hi at all,
I showed the triggered alerts on a dashboard using a search on the
_internal index and
source="/opt/splunk/var/log/splunk/scheduler.log", after I connected results to a REST extraction to enrich information from savedsearch.
My problem is to have the information about the host triggered by alert, because in my search, the only host is the Search Head, but I need the hostname of the alerted host.
Can I have it?
Thank you in advance.
If I understand correctly, you want to know the host that generated the log that triggered your alert, is that correct?
That host should be in the host field of your originating event and therefore, when you create the alert you just need to include the host name there.
You can even pass the host name in the subject field of your alert. See this.
Hope that helps,
I don't need to pass the hostname to an eMail as a token, my problem is to have it in a search that shows all the alerts triggered in a period.
I have the triggered alerts list with a search like this:
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" result_count>0 | table _time thread_id app savedsearch_name result_count | join savedsearch_name [| rest /services/saved/searches | dedup search | table author eai:acl.app title alert.severity is_scheduled id qualifiedSearch dispatch.earliest_time | rename dispatch.earliest_time AS timerange title AS savedsearch_name eai:acl.app AS app| fields author app savedsearch_name alert.severity timerange] ...
But the problem is that hostname isn't in this search result.
It's in the alerts result but I don't know how to connect this result to my search.
I see. I know you can include tokens in the alert title within Enterprise Security when creating notable events. Simply add $host$ or $result.hostname$ or whatever the field name you want to use to the title and then search it and join it with:
| rest /services/saved/searches | table title
But I don't know if this is going to work outside ES.
Some other options I can think of:
Hope that helps. I don't know any other way of doing it.
Trying to understand you...
The alert is triggered on SEARCH HEAD B, and then a dashboard on SEARCH HEAD A will display that SEARCH HEAD B triggered the alert / ran the search that triggered the alert?
OR did you mean this
The alert is triggered on SEARCH HEAD A, and then a dashboard on SEARCH HEAD A will display that SERVER A was beyond thresholds and caused the search to trigger the alert.
I have only one Search Head, but I'd like to have the hostname of the Universal Forwarder that sent the log triggered in the alert.
I have it in my alert results but I don't know how to take it and insert in my dashboard that takes triggered alerts from "_internal" index and REST savedsearches.