Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to add Alert name and triggered time to lookup file

visvar90
Engager
‎08-15-2023 01:13 AM

Hi,

I would like to add alert name and its triggered time to a lookup file once the alert is triggered.

I don't need the results instead alert name and triggered time would do.

Basically, need this data for reporting purpose. I am aware that this can be taken using Triggered alerts and using rest API or get the data from audit index.

When I use rest API for triggered alerts, triggered time is not there and for the audit index, only admin has access.

So, trying to do something while the alert is getting triggered.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-16-2023 12:20 AM

You could include an outputlookup in your alert search although the alert search would need to include logic that it was going to trigger, so that depends on how your triggers are defined and if your trigger changes, you may have to change the search as well.

0 Karma
Reply

visvar90
Engager
‎08-15-2023 10:06 PM

thanks @gcusello 

Unfortunately we dont have access to the audit table. Only admin can access.

Hence trying to workaround while the alert is generated. Just need the alert name and triggered time.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2023 02:12 AM

Hi @visvar90 ,

you could ask to yur admins to schedule this search (with the collect command to save in a Summary index or outputlookup to save in a lookup) and the you can access the summary index or the lookup.

In this way, you can access only the alerts information from the audit index.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-15-2023 01:22 AM

Hi @visvar90,

you can use this search (thanks to @MuS ) to identify the triggered alerts:

index=_audit action="alert_fired" 
| rename ss_name AS title 
| join title [ | rest /services/saved/searches | table title, alert_threshold ] 
| timechart values(alert_threshold) AS alert_threshold count by title

Then you can save the results in a lookup with outputlookup or (better) in a summary index (using collect command) that you can use for your reports.

Ciao.

giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...