Hi all, hope you can help me with this question.
What I'm trying to do is, given the information Splunk keeps about triggered alerts in index=_internal, create a dashboard with the alerts triggered in a period of time and, using the sid, get the actual results from that alert.
I'm using the following search to get the information about triggered alerts:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count **sid**
and I want to use the **sid** value returned to run a sub-search and get the actual values.
Something like this, if possible, would be great:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count **sid** | append [ loadjob **sid** ]
Thanks for your help.
↧