Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to consolidate all the alerts from ITSI?

splkjk
Explorer
‎10-14-2022 11:31 AM

Hello Splunkers, We have a requirement where we need to get the consolidated list of alerts in ITSI that  was generated and need to get status of alerts (closed or still active)

When i run the below query  index="itsi_grouped_alerts" source="XXXX" sourcetype = itsi_notable:group, i don't see any status of the alerts.

Is there any way where we can have all the alerts from ITSI listed with status

Labels (3)
Tags (1)
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎01-04-2023 06:21 AM

Hi! 

Try something like this: 

| tstats latest(_time) as _time latest(alert_level) as alert_level latest(itsi_group_severity) as itsi_group_severity latest(itsi_group_status) as itsi_group_status  where index=itsi_grouped_alerts AND NOT itsi_group_status::5 earliest=-24h latest=now by itsi_group_id

 

/Seb 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...