Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to export a list of triggered alerts to CSV based on the name of the scheduled search that triggered them.

cdo_splunk
Splunk Employee
Splunk Employee
‎02-03-2015 12:06 PM

How to export splunk alert name only from search to excel csv format?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-03-2015 12:18 PM

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-03-2015 12:18 PM

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

Reply
Solved! Jump to solution

twinspop
Influencer
‎02-20-2015 03:35 PM

This works great for single search environments. But with pooled search heads, I only see the triggered alerts on the search head I happen to be landing on. (I don't have a search head cluster set-up yet to test. Does this behavior change?)

0 Karma
Reply
Solved! Jump to solution

lakshman239
Influencer
‎08-15-2016 05:13 AM

In Splunk cloud with more than 1 search head, would this approach still work to get all the fired alerts?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...