Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alerts Dashboard

maayan
Path Finder
‎01-10-2024 01:04 AM

Hi,

i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result.
and maybe to click on the alert and get the last search.

is it possible to create an alerts dashboard?

thanks,
Maayan

Labels (1)
Labels
0 Karma
Reply

maayan
Path Finder
‎01-10-2024 02:01 AM

Hi,

Thanks! i will check. i dont have permission to install apps.
i wonder if there is an internal query to get all alerts and their results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 02:42 AM

Hi @maayan,

with this search you can list all the alerts

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where alert_type!="always"
| table title

and with this search yu can list the fired alerts

index=_audit action="alert_fired" 
| rename ss_name AS title 
| join title [ | rest /services/saved/searches | table title, alert_threshold ] 
| timechart values(alert_threshold) AS alert_threshold count by title

Ciao.

Giuseppe

Reply

maayan
Path Finder
‎01-10-2024 03:47 AM

Hi,

It's a very useful query!

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"



I need the alerts results and the second query doesn't work for me. i have already created an alert and see in under the "Alerts" tab and scheduled in today.
What i need to change in the second query to results? 
maybe something in the alert setting? or different index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 01:32 AM

Hi @maayan,

did you explored the Alert Manager App (https://splunkbase.splunk.com/app/2665)?

Try it, I usually use it when I cannot use ES.

Put attention only to one point: the app can see only alerts with a Global sharing.

Ciao.

Giuseppe

0 Karma
Reply

maayan
Path Finder
‎01-14-2024 01:22 AM

we don't have permission to install the app. i will try to ask the infra team again.
is there an option to add the alert result to this query?

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...