Re: How to create a tag for alerts when they are w...

jonnim · ‎04-06-2016

I have created alerts based on use case for e.g. failed authentications. These alerts pertain to different data sources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the _internal index. I want to display the count of these alerts on a dashboard. Currently I am doing this by using the savedsearch_name field and correlating against the :Failed-auth" in the name as follows:

search index=_internal sourcetype=scheduler savedsearch_name="*Failed_Auth*"

However, this makes me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to the _internal index. I know you can do this using summary indexing, but customer doesn't want to use summary indexing ..Any suggestions?

somesoni2 · ‎04-07-2016

Try this search. THis will give all the scheduled search execution which has an alert action configured.

index=_internal sourcetype=scheduler status=success alert_action=* alert_action!=""

jonnim · ‎04-07-2016

somesoni2 - you solution may work if we define alert_action. This is not defined and such cannot be used as a filter. Is there anyway to add a tag to the saved search result?

How to create a tag for alerts when they are written to the _internal index to display a count of alerts on a dashboard?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio