How to create a tag for alerts when they are writt...

jonnim · ‎04-06-2016

I have created alerts based on use case for e.g. failed authentications. These alerts pertain to different data sources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the _internal index. I want to display the count of these alerts on a dashboard. Currently I am doing this by using the savedsearch_name field and correlating against the :Failed-auth" in the name as follows:

search index=_internal sourcetype=scheduler savedsearch_name="*Failed_Auth*"

However, this makes me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to the _internal index. I know you can do this using summary indexing, but customer doesn't want to use summary indexing ..Any suggestions?

somesoni2 · ‎04-07-2016

Try this search. THis will give all the scheduled search execution which has an alert action configured.

index=_internal sourcetype=scheduler status=success alert_action=* alert_action!=""

jonnim · ‎04-07-2016

somesoni2 - you solution may work if we define alert_action. This is not defined and such cannot be used as a filter. Is there anyway to add a tag to the saved search result?

How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life