Alerting

How to export a list of triggered alerts to CSV based on the name of the scheduled search that triggered them.

cdo_splunk
Splunk Employee
Splunk Employee

How to export splunk alert name only from search to excel csv format?

1 Solution

hexx
Splunk Employee
Splunk Employee

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

twinspop
Influencer

This works great for single search environments. But with pooled search heads, I only see the triggered alerts on the search head I happen to be landing on. (I don't have a search head cluster set-up yet to test. Does this behavior change?)

0 Karma

lakshman239
SplunkTrust
SplunkTrust

In Splunk cloud with more than 1 search head, would this approach still work to get all the fired alerts?

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...