I have an alert table with certain values:
Time (alert occurrence) | Alert Name | Severity....
Would it be possible to create a time entry the first time an alert is accessed?
This would help me to create a first response SLA.
Time | Alert Name | Severity | First reponse | SLA |
03/16/2022 05:20 PM | Failed Login | Medium | 03/16/2022 05:25 PM | 00:05 |
03/16/2022 05:30 PM | Acces invalid | High |
Correct is a question, is it possible to detect the exact date when the alert results are first accessed for review?
I don't know if it is possible for Splunk to collect that value in a field when doing that action.
How do you detect the first time an alert is accessed? Or is that your question? What do you mean by "accessed"?
Correct is a question, is it possible to detect the exact date when the alert results are first accessed for review?
I don't know if it is possible for Splunk to collect that value in a field when doing that action.