Hi team,
I'm trying to build a search which will search for the alerts which have been triggered for a hosts during specific period of time, which are in the lookup and ideally I to show the results with below:
- hostname
- decription of the alert
- when alert was triggered
I would appreciate any guide or assistance.
Kind regards
Hi @szukacz
let me know if this search works for your case
| rest /servicesNS/-/-/saved/searches
| search title="*"
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value=""
| sort -lastUpdated
Thank you so much for this search, it works great. Can we tune it to extract the hostname from the alert or can we use lookup list to filter only hosts on that list?
Hi @szukacz
| rest /servicesNS/-/-/saved/searches
| search title="*"| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV"
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1")
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity, splunk_server
| fillnull value=""
| sort -lastUpdated
if this search help karma point and confirmation solution is appreciated
Regards
Alessandro