How to extract the IP or hostname from events for ...

jhhernandez · ‎12-20-2016

Good day

I am currently in the process of creating alerts for the events received.

Within the Triggered Alerts, I can identify all the alerts that are activated, but I have a problem - the alerts only show the name, severity ... but I do not identify fields like the host or IP.

Through a search I can find the log that uses the Triggered Alerts, but I cannot find the way to extract the IP of the actual event.

index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time)  | table trigger_time ss_name severity | rename trigger_time as Fecha, ss_name as Alerta, severity as Severidad

How could I do this?

lguinn2 · ‎12-20-2016

The _audit index is not the place to find this information. The _audit index can be used to see if alerts triggered as they should, but there is nothing in the audit index that contains the actual search results of the triggering search. In general, the _audit index should not be used as part of the alerting mechanism.

If you want to take an action based on the results of a search, you should edit the saved search itself. As part of the saved search, you could select the fields that you want to appear - and include the search results in an email for example.

If you want more follow-up on this, please show the original search that caused the alert to trigger.

How to extract the IP or hostname from events for Triggered Alerts?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life