https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223971#M65968 <P>Do you mean something like this?</P> <PRE><CODE>SEVERITY ALERT IPS ---------------------------------------- MAJOR alert_1 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 alert_2 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 MINOR alert_3 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 </CODE></PRE> <P>If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .</P> Wed, 22 Jun 2016 11:17:11 GMT jplumsdaine22 2016-06-22T11:17:11Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223970#M65967 <P>I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.</P> <P>If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?</P> <P>I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?</P> Tue, 21 Jun 2016 17:18:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223970#M65967 yacht_rock 2016-06-21T17:18:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223971#M65968 <P>Do you mean something like this?</P> <PRE><CODE>SEVERITY ALERT IPS ---------------------------------------- MAJOR alert_1 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 alert_2 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 MINOR alert_3 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.1.5 </CODE></PRE> <P>If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .</P> Wed, 22 Jun 2016 11:17:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223971#M65968 jplumsdaine22 2016-06-22T11:17:11Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223972#M65969 <P>Hi!</P> <P>Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)</P> Tue, 29 Sep 2020 10:01:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223972#M65969 yacht_rock 2020-09-29T10:01:47Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223973#M65970 <P>Have you looked at this app? <A href="https://splunkbase.splunk.com/app/2665/#/overview">https://splunkbase.splunk.com/app/2665/#/overview</A></P> Wed, 22 Jun 2016 21:38:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223973#M65970 sk314 2016-06-22T21:38:08Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223974#M65971 <P>Try this</P> <PRE><CODE>index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT </CODE></PRE> Thu, 23 Jun 2016 01:03:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-to-track-alert-results-by-severity/m-p/223974#M65971 sundareshr 2016-06-23T01:03:03Z