How to find  the Index name for every Alert  created in Splunk

How to find  the Index name for every Alert  created in Splunk

Sometimes it is mandatory to know the index name of an alert from which it is generating. We can find the information of an alert in Splunk very easily.

Example 1:

How to find the status and run time of an alert by using Splunk query. Below we have given a Splunk query by which we can get all the information of an alert.

Query:

index=_internal sourcetype=scheduler thread_id=”AlertNotifier*”  NOT app=”sideview*” NOT app=”splunk_monitoring_console”
|table _time,run_time,alert_actions,app, status,savedsearch_name

Result:

alert1

Explanation:

In the above query we have taken “_internal” index and sourcetype name is scheduler where all the information regarding all the saved searches has been stored. By the table command we have taken the “_time”, “run_time” , “alert_actions” , “app” ,  “status” , “savedsearch_name” fields. Form here we can easily get to know about run time and status of all the alerts in Splunk.

********************************************************************************

Example 2:

How to find the Index names of an alert by using which Index the alert has been generated. Below we have given a query by which you can easily find the Index name of an alert.

Query:

| rest /servicesNS/-/search/saved/searches
| table title,triggered_alert_count,search, cron_schedule,alert_type,alert_condition
| rex field=search “index=(?\w+)\s*.*”
| fillnull value=”DefaultIndex” IndexName

Result:

alert2

Explanation :

In the above query we have found the all the information using the “rest” command. This command is a generating command.  By the “table” command we have taken “title” , “triggered_alert_count” , “search” , “cron_schedule” , “alert_type” , “alert_condition” fields. Then by the “rex” command we have extracted the index names from the “search” field using which the alerts are generating. We have extracted the index names and store into the “IndexName” field. At last we have filled up the null values with the “DefaultIndex” by the “fillnull” command in “IndexName” field.

Hope this has helped you in achieving the below requirement without fail :

How to find  the Index name for every Alert  created in Splunk

Happy Splunking !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.