SPL
Show your triggered alerts
Description
This search shows all the alerts that where triggered in your splunk environment:
11 0
index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity | rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity"
Comments
2 total
This only measures triggered alerts though, no? If you do not have an action set to trigger a \"Triggered Alert\", this won't give back correct stats.
I re-read the title and got the right context for it now. Ty.
Leave a comment
You must log in to post a comment.