Solved: Re: finding alerts (saved searchs) based on alarm ...

MarcRiese · ‎10-06-2020

Usually I find an individual alert, i.e., a saved search, among a large number of alerts by searching for it by name.

How can I find the individual alert that generates a known, specific alarm-ID, e.g. "file error 12345"?

More generally, how does one find an alert, among a large number of alerts, based on the contents of the events it generates?

Is there a way to find all alerts that generate alarm IDs containing a text, i.e. where the text is a substring of the complete alarm IDs. For example, all alerts that generate alarm IDs containing "file error"?

richgalloway · ‎10-06-2020

I'm not aware of a way to search for the alert that generated a particular set of results.

To help identify which alert generated a particular alarm, start with the Activity->Triggered Alerts page. This way you are not checking searches that haven't fired.

It may help to include the search name in any email alerts.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-06-2020

I'm not aware of a way to search for the alert that generated a particular set of results.

To help identify which alert generated a particular alarm, start with the Activity->Triggered Alerts page. This way you are not checking searches that haven't fired.

It may help to include the search name in any email alerts.

---
If this reply helps you, Karma would be appreciated.

finding alerts (saved searchs) based on alarm IDs or other event contents

metadata

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?