- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How can I add a column to the alerts page in Splun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I add a column to the alerts page in Splunk?
How can I add a column to the alerts page in Splunk?
Specifically I want to see the enabled status in the alerts listing without clicking on "i" for each alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To see all disabled saved searches, i.e. alerts & reports, use the "All configurations" listing which you can find under "Settings". App context "Search & Reporting (search)" and search for "savedsearch" or use this link:
$SPLUNK_HOST/manager/search/admin/directory?sort_dir=desc&sort_key=disabled&ns=search&search=savedsearch&count=100&app_only=True
The easy to customise solution is the REST API (thanks to @dwaddle's answer). To find alerts, use alerts.track=1 and the status can be retrieved from the field disabled. Here a full request:
| rest /services/saved/searches | search alert.track=1 | sort -disabled | eval condition=if(alert_type=="custom", alert_condition, alert_type." ".alert_comparator." ".alert_threshold) | table disabled title condition cron_schedule dispatch.earliest_time dispatch.latest_time alert.suppress.period search alert.digest_mode alert.severity action.email.to
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot. At least, not in a way that your installation will continue to be supported by Splunk support. The 'alerts' page at http://localhost:8000/en-US/app/search/alerts is not a standard XML or HTML dashboard. It is based on core Backbone.js routers and views and is in a part of the overall Splunk web UI that is not intended to be user modified.
If you are willing to dive deep into the internals of the Splunk UI, put your support in jeopardy, and do things that will be replaced every time you patch you can start to look in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/views/alerts/table/Master.js and see how the page is assembled. I wouldn't recommend it though, especially not for production. You're kinda on your own there.
There's two things I hear here that could be reasonable ERs -
- Adding the enabled/disabled status as a header column to the alerts view
- Exposing the ability to customize fully the columns and data shown in pages like the alert view (and other manager pages built with the same approaches)
I would suggest you submit an Enhancement request for it. In the meanwhile you can use the | rest command to build a dashboard of enabled alerts which may suit your purpose partially.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your detailed answer. I better don't change any code in Splunk itself as it would be overridden on each Splunk update.
Thanks for the REST API hint. I explicated it in my answer.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
