How to export splunk alert name only from search to excel csv format?
Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.
The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:
| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count
All you need to do next is to export these results using the UI, in CSV format.
Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.
Let's say you want to export the names of all triggered alerts that match scheduled searches named "CRITICAL ALERT - " and their trigger count.
The best way to do this would be to hit the "fired_alerts" endpoint with a rest-based search and to format the results in a way that is export-friendly:
| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | where match(title,"CRITICAL ALERT - ") | fields title triggered_alert_count
All you need to do next is to export these results using the UI, in CSV format.
Note that you can also fetch/export results on a per-alert basis if you hit the "fired_alerts/{alert_name}" endpoint.
This works great for single search environments. But with pooled search heads, I only see the triggered alerts on the search head I happen to be landing on. (I don't have a search head cluster set-up yet to test. Does this behavior change?)
In Splunk cloud with more than 1 search head, would this approach still work to get all the fired alerts?