Other Usage

how to add Alert name and triggered time to lookup file

visvar90
Engager

Hi,

I would like to add alert name and its triggered time to a lookup file once the alert is triggered.

I don't need the results instead alert name and triggered time would do.

Basically, need this data for reporting purpose. I am aware that this can be taken using Triggered alerts and using rest API or get the data from audit index.

When I use rest API for triggered alerts, triggered time is not there and for the audit index, only admin has access.

So, trying to do something while the alert is getting triggered.

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could include an outputlookup in your alert search although the alert search would need to include logic that it was going to trigger, so that depends on how your triggers are defined and if your trigger changes, you may have to change the search as well.

0 Karma

visvar90
Engager

thanks @gcusello 

Unfortunately we dont have access to the audit table. Only admin can access.

Hence trying to workaround while the alert is generated. Just need the alert name and triggered time.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @visvar90 ,

you could ask to yur admins to schedule this search (with the collect command to save in a Summary index or outputlookup to save in a lookup) and the you can access the summary index or the lookup.

In this way, you can access only the alerts information from the audit index.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @visvar90,

you can use this search (thanks to @MuS ) to identify the triggered alerts:

index=_audit action="alert_fired" 
| rename ss_name AS title 
| join title [ | rest /services/saved/searches | table title, alert_threshold ] 
| timechart values(alert_threshold) AS alert_threshold count by title

Then you can save the results in a lookup with outputlookup or (better) in a summary index (using collect command) that you can use for your reports.

Ciao.

giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...