In this post, I am going to discuss on how to find the alert details which was triggered long back.
For example, you need the alert details which was triggered a month ago and you need to find it whether it is triggered successfully or not.
Generally you can view the triggered alert in three ways.
1. Use Triggered alert option under the activity tab.
2. View recent alerts near the alert name in the alert page.
Let me discuss the disadvantages of above two ways and go with third one.
Triggered alert – Unless you added the “Add to Triggered alert” in your action of the alert, your alert wont be visible in the page.
View Recent alerts – these details will be available only for 24 hours from it triggered.
So, here comes the third and perfect way to find the alert details from past.
Splunk collects its own information and stores it in internal indexes. Using this we can find it.
Go to search head and if you want to search based on the alert name, use the below SPL query to find.
index=_internal sourcetype=scheduler savedsearch_name=”Test Alert”
Or if you want all the alerts in the particular time frame, use the below query.
index=_internal sourcetype=scheduler thread_id=”AlertNotifierWorker-0″ app=”search”
The second query is filtering to populate the alerts which is in Search app and you can refrain the searched based on you requirement.
You can give the specific time in time range to find out all the alerts triggered in those timings.
Please feel free to add any other methods, if you think we can find the alerts triggered in the past.
Happy Splunking…!
Splunk Notes 
Nice to know we can access this through SPL but i guess schedular.log file contains all these details. So we can also refer that. #happysplunking
LikeLiked by 1 person