Solved: Find alerts that have triggered without alert.trac...

antb · ‎04-20-2020

Hi All,

I have some alerts configured to email as the only action. Alert.track (Add to Triggered Alerts) is not enabled. I've tried to find evidence anywhere in Splunk logs that these alerts have fired, however, I'm unable.

I've tried looking in :

| rest splunk_server=local /servicesNS/-/-/saved/searches

as well as:

index=_audit action=alert_fired ss_app=myapp

However, neither appear to show evidence that the alert has fired (Yes, I receive the email). It's possible I'm just missing it or it is logged in another area?

Thank you.

manjunathmeti · ‎04-20-2020

Check scheduler logs. Below query gives list of scheduled searches triggered with alert action.

index=_internal sourcetype=scheduler search_type=scheduled alert_actions!="" | table savedsearch_name, sid, app, alert_actions, scheduled_time, *time

View solution in original post

manjunathmeti · ‎04-20-2020

Check scheduler logs. Below query gives list of scheduled searches triggered with alert action.

index=_internal sourcetype=scheduler search_type=scheduled alert_actions!="" | table savedsearch_name, sid, app, alert_actions, scheduled_time, *time

Find alerts that have triggered without alert.track

email

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms