Solved: How can I retrieve fired alerts in chronological o...

av81 · ‎07-22-2024

Hello,

I used Splunk REST API with Search endpoint to be able to retrieve the latest fired alerts based on a title search.

I get the fired alerts in alphabetical order but not in chronological order since all the alerts obtained have the default field <updated>1970-01-01T01:00:00+01:00</updated>.

Here's the url and query I used :
https://<host>:<mPort>/services/alerts/fired_alerts?search=name%3DSOC%20-*&&sort_dir=desc&sort_key=u...

| rest /services/alerts/fired_alerts/
| search title="SOC - *"
| sort -updated
| table title, updated, triggered_alert_count, author

Here are the references I used :
Search endpoint descriptions - Splunk Documentation
Using the REST API reference - Splunk Documentation

So, how can I retrieve fired alerts in chronological order with a title search ? Or how can I obtain a field indicating the date the alert was triggered ?

Thanks in advance.

marnall · ‎07-22-2024

You could use the /services/search/v2/jobs REST endpoint

| rest /services/search/v2/jobs 
| search label = "SOC - *"
| sort - updated
| table label updated author ```add fields as desired```

marnall · ‎07-22-2024

You could use the /services/search/v2/jobs REST endpoint

| rest /services/search/v2/jobs 
| search label = "SOC - *"
| sort - updated
| table label updated author ```add fields as desired```

How can I retrieve fired alerts in chronological order ?