Hi,
Looking for a suggestion/query to monitor the triggered alerts of one particular search head (one Splunk URL) using another Splunk Search Head (another splunk URL)
With 4 fields included
_time, Alert Name, Mail notifications, results
Search heads don't normally search each other. However, if the SHs are forwarding their logs to the indexers (as they should) then you should be able to find the triggered alert in the audit log. Try this search:
index=_audit action=alert_fired host=<one SH>
Hi @richgalloway - Thanks for providing the assistance
Actually i was looking for a query without index=audit as i don't have admin priviliges.
There is no way to access that data without the proper privileges. There is a REST command to fetch fired alerts, but that won't work between search heads - only on the local SH or between the MC and SH.