Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I show every alert notification in a dashboard?

noybin
Communicator
‎07-06-2017 05:15 AM

Hello,

I've created a Dashboard in which I am showing every triggered alert by searching in: index=_audit action=alert_fired

I am having a problem with the alerts I've set to notify by email "for each result". These alerts are shown just once in my dashboard and I need to see every as many alerts in the Dashboard as notifications I've received.

Can you help me achieving this?
Thank's in advance

0 Karma
Reply

adonio
Ultra Champion
‎07-06-2017 07:22 PM

hello there,
just tested the condition you are describing and seems like it is working fine, i set an alert to run real time on a condition that is being met constantly and have it send an email for every result and i see the events correctly in the _audit index. can you confirm you did not throttle alerts (read here: http://docs.splunk.com/Documentation/Splunk/6.6.2/Alert/ThrottleAlerts) and you receive multiple emails and only one event for the alert?
regardless, i have a workaround that might help you with your dashboard. create a small index for alerts and name it. now, when saving an alert, add the "Log Event" alert action to your alerts. fill all the right fields, see screenshot: and now you will have an easy way to create nice reports and dashboards on all your alerts as they will be logged in the new index
alt text

hope it helps

Preview file
156 KB
0 Karma
Reply

noybin
Communicator
‎07-11-2017 02:12 PM

Hi, thank's for your response.

I don't have throttle enabled. The notifications are received (by email) correctly "for each result".
My problem is that I can not list those triggered alerts "for each result in a report" because in the _audit index each alert is only logged once.

I can neither use the alternative of "Log Event" action because the client is using Splunk 6.1.4 and that action doesn't exist in that version.
They can not upgrade because they don't own the License Master which is in that version.

Any other alternative?

Thank's again.
Regards

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...