Splunk Search

How to extract the IP or hostname from events for Triggered Alerts?

jhhernandez
New Member

Good day

I am currently in the process of creating alerts for the events received.

Within the Triggered Alerts, I can identify all the alerts that are activated, but I have a problem - the alerts only show the name, severity ... but I do not identify fields like the host or IP.

Through a search I can find the log that uses the Triggered Alerts, but I cannot find the way to extract the IP of the actual event.

index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time)  | table trigger_time ss_name severity | rename trigger_time as Fecha, ss_name as Alerta, severity as Severidad

How could I do this?

0 Karma

lguinn2
Legend

The _audit index is not the place to find this information. The _audit index can be used to see if alerts triggered as they should, but there is nothing in the audit index that contains the actual search results of the triggering search. In general, the _audit index should not be used as part of the alerting mechanism.

If you want to take an action based on the results of a search, you should edit the saved search itself. As part of the saved search, you could select the fields that you want to appear - and include the search results in an email for example.

If you want more follow-up on this, please show the original search that caused the alert to trigger.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...