Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to move alerts through a workflow
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alarms at first glance, seem a bit limited but I may be missing something. Tried reading the docs and searching around in the community but haven't had luck today.
I can create them with severity (this is good), have them show in my "triggered alerts" but I cannot find workflow abilities… Choices like "annotate, assign, or close them (aside from delete)".
As an example a team would watch a board for an alert and would call-out to a response team. The team that is on-call or actioning should be able to remove the alerts from the other screen or assign them to individuals to work on (mark as in-progress).
I've done this in other SIEM's and hope it doesn't require webhooks to an external application, perhaps I can custom do this on a dashboard but would need a bit of guidance.
Thoughts? Thank you in advance. (First time posting)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this is a feature that pretty much describes workflow handling in splunk enterprise security, which is a splunk premium solution. You can find more information and the posibility to get a demo here: https://www.splunk.com/en_us/software/enterprise-security.html
There is also a more light weight solution to this at splunk base, called alert manager:
https://splunkbase.splunk.com/app/2665/
Which seems to realize your mentioned use cases pretty accurate.
Greetings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no case-management capability in core splunk. This featureset exists in Splunk's premium app Enterprise Security and also in the free Alert Manager app in splunkbase. We are also working on our own premium app for this (as are others, I am sure).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this is a feature that pretty much describes workflow handling in splunk enterprise security, which is a splunk premium solution. You can find more information and the posibility to get a demo here: https://www.splunk.com/en_us/software/enterprise-security.html
There is also a more light weight solution to this at splunk base, called alert manager:
https://splunkbase.splunk.com/app/2665/
Which seems to realize your mentioned use cases pretty accurate.
Greetings
Tom
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
