Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I add a column to the alerts page in Splunk?

DominikGM
Explorer
‎09-09-2016 06:46 AM

How can I add a column to the alerts page in Splunk?
Specifically I want to see the enabled status in the alerts listing without clicking on "i" for each alert.

Reply

DominikGM
Explorer
‎09-13-2016 07:12 AM

To see all disabled saved searches, i.e. alerts & reports, use the "All configurations" listing which you can find under "Settings". App context "Search & Reporting (search)" and search for "savedsearch" or use this link:

$SPLUNK_HOST/manager/search/admin/directory?sort_dir=desc&sort_key=disabled&ns=search&search=savedsearch&count=100&app_only=True

The easy to customise solution is the REST API (thanks to @dwaddle's answer). To find alerts, use alerts.track=1 and the status can be retrieved from the field disabled. Here a full request:

| rest /services/saved/searches | search alert.track=1 | sort -disabled | eval condition=if(alert_type=="custom", alert_condition, alert_type." ".alert_comparator." ".alert_threshold) | table disabled title condition cron_schedule dispatch.earliest_time dispatch.latest_time alert.suppress.period search alert.digest_mode alert.severity action.email.to

Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2016 10:07 AM

You cannot. At least, not in a way that your installation will continue to be supported by Splunk support. The 'alerts' page at http://localhost:8000/en-US/app/search/alerts is not a standard XML or HTML dashboard. It is based on core Backbone.js routers and views and is in a part of the overall Splunk web UI that is not intended to be user modified.

If you are willing to dive deep into the internals of the Splunk UI, put your support in jeopardy, and do things that will be replaced every time you patch you can start to look in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/views/alerts/table/Master.js and see how the page is assembled. I wouldn't recommend it though, especially not for production. You're kinda on your own there.

There's two things I hear here that could be reasonable ERs -

  1. Adding the enabled/disabled status as a header column to the alerts view
  2. Exposing the ability to customize fully the columns and data shown in pages like the alert view (and other manager pages built with the same approaches)

I would suggest you submit an Enhancement request for it. In the meanwhile you can use the | rest command to build a dashboard of enabled alerts which may suit your purpose partially.

Reply

DominikGM
Explorer
‎09-13-2016 07:16 AM

Thanks for your detailed answer. I better don't change any code in Splunk itself as it would be overridden on each Splunk update.

Thanks for the REST API hint. I explicated it in my answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...