Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alerts Dashboard

maayan
Path Finder
‎01-10-2024 01:04 AM

Hi,

i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result.
and maybe to click on the alert and get the last search.

is it possible to create an alerts dashboard?

thanks,
Maayan

0 Karma
Reply

maayan
Path Finder
‎01-10-2024 02:01 AM

Hi,

Thanks! i will check. i dont have permission to install apps.
i wonder if there is an internal query to get all alerts and their results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 02:42 AM

Hi @maayan,

with this search you can list all the alerts

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where alert_type!="always"
| table title

and with this search yu can list the fired alerts

index=_audit action="alert_fired" 
| rename ss_name AS title 
| join title [ | rest /services/saved/searches | table title, alert_threshold ] 
| timechart values(alert_threshold) AS alert_threshold count by title

Ciao.

Giuseppe

Reply

maayan
Path Finder
‎01-10-2024 03:47 AM

Hi,

It's a very useful query!

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"



I need the alerts results and the second query doesn't work for me. i have already created an alert and see in under the "Alerts" tab and scheduled in today.
What i need to change in the second query to results? 
maybe something in the alert setting? or different index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 01:32 AM

Hi @maayan,

did you explored the Alert Manager App (https://splunkbase.splunk.com/app/2665)?

Try it, I usually use it when I cannot use ES.

Put attention only to one point: the app can see only alerts with a Global sharing.

Ciao.

Giuseppe

0 Karma
Reply

maayan
Path Finder
‎01-14-2024 01:22 AM

we don't have permission to install the app. i will try to ask the infra team again.
is there an option to add the alert result to this query?

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and stall ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...