Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alerts Dashboard

maayan
Path Finder
‎01-10-2024 01:04 AM

Hi,

i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result.
and maybe to click on the alert and get the last search.

is it possible to create an alerts dashboard?

thanks,
Maayan

0 Karma
Reply

maayan
Path Finder
‎01-10-2024 02:01 AM

Hi,

Thanks! i will check. i dont have permission to install apps.
i wonder if there is an internal query to get all alerts and their results

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 02:42 AM

Hi @maayan,

with this search you can list all the alerts

| rest splunk_server=local /servicesNS/-/-/saved/searches 
| where alert_type!="always"
| table title

and with this search yu can list the fired alerts

index=_audit action="alert_fired" 
| rename ss_name AS title 
| join title [ | rest /services/saved/searches | table title, alert_threshold ] 
| timechart values(alert_threshold) AS alert_threshold count by title

Ciao.

Giuseppe

Reply

maayan
Path Finder
‎01-10-2024 03:47 AM

Hi,

It's a very useful query!

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"



I need the alerts results and the second query doesn't work for me. i have already created an alert and see in under the "Alerts" tab and scheduled in today.
What i need to change in the second query to results? 
maybe something in the alert setting? or different index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-10-2024 01:32 AM

Hi @maayan,

did you explored the Alert Manager App (https://splunkbase.splunk.com/app/2665)?

Try it, I usually use it when I cannot use ES.

Put attention only to one point: the app can see only alerts with a Global sharing.

Ciao.

Giuseppe

0 Karma
Reply

maayan
Path Finder
‎01-14-2024 01:22 AM

we don't have permission to install the app. i will try to ask the infra team again.
is there an option to add the alert result to this query?

| rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...