Hi,
We recently gave customers the ability to create their own alerts into our ticket management system. I'm concerned that some customers will flood either the ticketing system, or email in-boxes. Is there anyway to monitor the number of alerts that are getting generated in Splunk, similiar to any other data-source?
You can start with searching for the _internal index for alert_actions field data:
index=_internal alert_actions="*"
This will get you the raw data.
To count the times an alert has been triggered and get a list of which searches they are, use:
index=_internal alert_actions="*" | top alert_actions,savedsearch_name limit=0
Cheers,
Jesse