how to pull a list of alerts which is having speci...

iqbalintouch · ‎04-16-2020

Hi,

How can I pull a list or report of alerts which is having any of these specific words?
"purchase" OR "search" OR "booking"

memarshall63 · ‎04-16-2020

Do you mean something like this?:

|rest /servicesNS/-/-/saved/searches 
| table title eai:acl.app eai:acl.owner actions search

So maybe with your criteria, it'd be:

|rest /servicesNS/-/-/saved/searches 
| table title eai:acl.app eai:acl.owner actions search
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"

Alerts generally have actions so you could add a filter for those, or there may be other ways to do it:

|rest /servicesNS/-/-/saved/searches 
| search NOT actions="" 
| table title eai:acl.app eai:acl.owner actions search 
| where title LIKE "%Purchase%" OR title LIKE "%search%" OR title LIKE "%booking%"

to4kawa · ‎04-16-2020

see https://answers.splunk.com/answers/509669/how-to-create-a-dashboard-that-gives-information-a.html

how to pull a list of alerts which is having specific word?

alert condition

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases