Splunk Enterprise Security

list of events alerted last month

splunkcol
Contributor

With this query I can see the notable events that are currently active.

But not everyone has been alerted even if they are active.

I would like to know what the query would be to see those that the tool has alerted in the last month

 

| rest splunk_server=local count=0 /services/saved/searches |search action.notable.param.severity=* | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain | table csearch_name, csearch_label, app, security_domain, description action.notable.param.severity
Labels (3)
0 Karma

splunkcol
Contributor

 

Solved

`notable`
| search NOT `suppression` 
| fields rule_name urgency
| stats count(eval(urgency="low")) as low count(eval(urgency="medium")) as medium count(eval(urgency="high")) as high count(eval(urgency="critical")) as britical by rule_name

 

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...