Solved: finding alerts (saved searchs) based on alarm IDs ...

MarcRiese · ‎10-06-2020

Usually I find an individual alert, i.e., a saved search, among a large number of alerts by searching for it by name.

How can I find the individual alert that generates a known, specific alarm-ID, e.g. "file error 12345"?

More generally, how does one find an alert, among a large number of alerts, based on the contents of the events it generates?

Is there a way to find all alerts that generate alarm IDs containing a text, i.e. where the text is a substring of the complete alarm IDs. For example, all alerts that generate alarm IDs containing "file error"?

richgalloway · ‎10-06-2020

I'm not aware of a way to search for the alert that generated a particular set of results.

To help identify which alert generated a particular alarm, start with the Activity->Triggered Alerts page. This way you are not checking searches that haven't fired.

It may help to include the search name in any email alerts.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-06-2020

I'm not aware of a way to search for the alert that generated a particular set of results.

To help identify which alert generated a particular alarm, start with the Activity->Triggered Alerts page. This way you are not checking searches that haven't fired.

It may help to include the search name in any email alerts.

---
If this reply helps you, Karma would be appreciated.

finding alerts (saved searchs) based on alarm IDs or other event contents

metadata

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

finding alerts (saved searchs) based on alarm IDs or other event contents

metadata

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!