I have created alerts based on use cased for e.g. failed authentications. These alerts pertain to different datasources, - Failed auth on Windows Failed auth on Linux etc. The alerts results go into the _internal index. I want to display the count of these alerts on a dashboard . Currently I am doing this by using the savedsearch_name field and correlating against the :Failed-auth" in the name as follows:
search index=_internal sourcetype=scheduler savedsearch_name="*Failed_Auth*"
However this make me dependent on correct naming conventions. I would rather create a tag (say alert-typ=failed-auth) when the alert gets written to _internal index. I know you can do this using summary indexing , but customer doesnt want to use summary indexing ..Any suggestions.
↧