Splunk Search

How to extract the IP or hostname from events for Triggered Alerts?

New Member

Good day

I am currently in the process of creating alerts for the events received.

Within the Triggered Alerts, I can identify all the alerts that are activated, but I have a problem - the alerts only show the name, severity ... but I do not identify fields like the host or IP.

Through a search I can find the log that uses the Triggered Alerts, but I cannot find the way to extract the IP of the actual event.

index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time)  | table trigger_time ss_name severity | rename trigger_time as Fecha, ss_name as Alerta, severity as Severidad

How could I do this?

0 Karma


The _audit index is not the place to find this information. The _audit index can be used to see if alerts triggered as they should, but there is nothing in the audit index that contains the actual search results of the triggering search. In general, the _audit index should not be used as part of the alerting mechanism.

If you want to take an action based on the results of a search, you should edit the saved search itself. As part of the saved search, you could select the fields that you want to appear - and include the search results in an email for example.

If you want more follow-up on this, please show the original search that caused the alert to trigger.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!