Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I show every alert notification in a dashboard?

noybin
Communicator
‎07-06-2017 05:15 AM

Hello,

I've created a Dashboard in which I am showing every triggered alert by searching in: index=_audit action=alert_fired

I am having a problem with the alerts I've set to notify by email "for each result". These alerts are shown just once in my dashboard and I need to see every as many alerts in the Dashboard as notifications I've received.

Can you help me achieving this?
Thank's in advance

0 Karma
Reply

adonio
Ultra Champion
‎07-06-2017 07:22 PM

hello there,
just tested the condition you are describing and seems like it is working fine, i set an alert to run real time on a condition that is being met constantly and have it send an email for every result and i see the events correctly in the _audit index. can you confirm you did not throttle alerts (read here: http://docs.splunk.com/Documentation/Splunk/6.6.2/Alert/ThrottleAlerts) and you receive multiple emails and only one event for the alert?
regardless, i have a workaround that might help you with your dashboard. create a small index for alerts and name it. now, when saving an alert, add the "Log Event" alert action to your alerts. fill all the right fields, see screenshot: and now you will have an easy way to create nice reports and dashboards on all your alerts as they will be logged in the new index
alt text

hope it helps

Preview file
1 KB
0 Karma
Reply

noybin
Communicator
‎07-11-2017 02:12 PM

Hi, thank's for your response.

I don't have throttle enabled. The notifications are received (by email) correctly "for each result".
My problem is that I can not list those triggered alerts "for each result in a report" because in the _audit index each alert is only logged once.

I can neither use the alternative of "Log Event" action because the client is using Splunk 6.1.4 and that action doesn't exist in that version.
They can not upgrade because they don't own the License Master which is in that version.

Any other alternative?

Thank's again.
Regards

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...