Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract the IP or hostname from events for Triggered Alerts?

jhhernandez
New Member
‎12-20-2016 07:27 AM

Good day

I am currently in the process of creating alerts for the events received.

Within the Triggered Alerts, I can identify all the alerts that are activated, but I have a problem - the alerts only show the name, severity ... but I do not identify fields like the host or IP.

Through a search I can find the log that uses the Triggered Alerts, but I cannot find the way to extract the IP of the actual event.

index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time)  | table trigger_time ss_name severity | rename trigger_time as Fecha, ss_name as Alerta, severity as Severidad

How could I do this?

0 Karma
Reply

lguinn2
Legend
‎12-20-2016 03:50 PM

The _audit index is not the place to find this information. The _audit index can be used to see if alerts triggered as they should, but there is nothing in the audit index that contains the actual search results of the triggering search. In general, the _audit index should not be used as part of the alerting mechanism.

If you want to take an action based on the results of a search, you should edit the saved search itself. As part of the saved search, you could select the fields that you want to appear - and include the search results in an email for example.

If you want more follow-up on this, please show the original search that caused the alert to trigger.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...