Alerting

How to export a list of triggered alerts to CSV based on the name of the scheduled search that triggered them.

cdo_splunk
Splunk Employee
Splunk Employee

How to export splunk alert name only from search to excel csv format?

1 Solution

hexx
Splunk Employee
Splunk Employee

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.

The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count

All you need to do next is to export these results using the UI, in CSV format.

Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.

twinspop
Influencer

This works great for single search environments. But with pooled search heads, I only see the triggered alerts on the search head I happen to be landing on. (I don't have a search head cluster set-up yet to test. Does this behavior change?)

0 Karma

lakshman239
SplunkTrust
SplunkTrust

In Splunk cloud with more than 1 search head, would this approach still work to get all the fired alerts?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...