Solved: How to count the number of alert returning results...

jip31 · ‎09-28-2023

Hi

I have a lot of alerts in my Splunk apps

Is there a way to count the number of alerts returning result by days, by month...

Is it possible ?

Thanks

richgalloway · ‎09-28-2023

Sorry, I left that out of my original reply. The number of results is in the result_count field. If the alert did anything, then the alert_actions field is not empty.

If an alert fired (was triggered), it will be in the output of this command

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | search title!="-"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-28-2023

Start with this query and modify as necessary to suit your requirements. Note that, by default, the _internal index only has 30 days of day so there may no "by month".

index=_internal source=*scheduler.log* savedsearch_name=* sourcetype=scheduler alert_actions!=""

---
If this reply helps you, Karma would be appreciated.

jip31 · ‎09-28-2023

Thanks

Is alert_actions is the field that an alert has generated a result?

alert_actions!=

If yes, if i want to count the alerts actions, its enough to do a stats count(alert_actions) ?

richgalloway · ‎09-28-2023

Sorry, I left that out of my original reply. The number of results is in the result_count field. If the alert did anything, then the alert_actions field is not empty.

If an alert fired (was triggered), it will be in the output of this command

| rest splunk_server=local /servicesNS/-/-/alerts/fired_alerts | search title!="-"

---
If this reply helps you, Karma would be appreciated.

How to count the number of alert returning results?

alert action

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud