Solved: Re: How to access to the triggered alerts in the p...

damucka · ‎06-24-2019

Hello,

I need to access the alerts triggered in the past in my current alert SPL.
I have a use case where I need to know what were the settings of the result variables there (in the past triggered alerts).
Is something like that possible at all?

Kind Regards,
Kamil

crliddy · ‎06-24-2019

Hi, in your alert, I would be pushing the results to a summary index or lookup table. Once you have your results, you can use the sistats command or the outputcsv command. Once you have this data stored, you can retrieve this with a join/append or a lookup.

View solution in original post

Azeemering · ‎06-24-2019

You can run the following search to see your environment's triggered alerts:

index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity | rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity"

dearbhavana · ‎02-08-2022

I tried this splunk query for the past triggered alerts but no results found for this search. not sure why. can you pls guide here ?

mohanrajm · ‎08-05-2020

Thanks for this query. It is working perfectly!

crliddy · ‎06-24-2019

Hi, in your alert, I would be pushing the results to a summary index or lookup table. Once you have your results, you can use the sistats command or the outputcsv command. Once you have this data stored, you can retrieve this with a join/append or a lookup.

damucka · ‎06-24-2019

@crliddy

Yes, this is what I am going to do - use kv store and then retrieve the data.

Kind Regards,
Kamil

How to access to the triggered alerts in the past in the current alert SPL?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases