I have created alerts based on use case for e.g. failed authentications. These alerts pertain to different data sources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the _internal index. I want to display the count of these alerts on a dashboard. Currently I am doing this by using the savedsearch_name field and correlating against the :Failed-auth" in the name as follows:
search index=_internal sourcetype=scheduler savedsearch_name="*Failed_Auth*"
However, this makes me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to the _internal index. I know you can do this using summary indexing, but customer doesn't want to use summary indexing ..Any suggestions?
Try this search. THis will give all the scheduled search execution which has an alert action configured.
index=_internal sourcetype=scheduler status=success alert_action=* alert_action!=""
somesoni2 - you solution may work if we define alert_action. This is not defined and such cannot be used as a filter. Is there anyway to add a tag to the saved search result?