Hello there,
is there a way to extract host(not the indexer) information from the generated alerts using search? i have tried below
index=_audit action=alert_fired
which gives me sid and then I used below command to find hosts associated with particular alert
|loadjob <sid>
is there any other way to find out complete alert information using single search which shows host name, alert name, severity, sid, search job etc?
Thx.