Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Is it possible to use all of the parameters fr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to use all of the parameters from an alert in a dashboard panel?
Hello,
Still checking Answers.
Is it possible to use all of the parameters from an alert in a dashboard panel?
Positive results from an alert set tokens that panels use to show the panel (depends).
Our dashboard contains the search SPL from many alerts. When changes occur we have to edit in two places (alerts and XML code). We want to only edit the alert. As well as use other alert parameters; i.e.; cron schedule, throttling, etc.
EDIT
Here is one of the panel searches.
<search>
<query>index IN (catalina,solarisevents)
AND source=/logs/access
AND sourcetype=access_combined
AND host=host3*
AND method IN (GET,POST)
(date_hour > 6 AND date_hour < 19)
| eval certsFiled=case(file="confirm.jsp","1")
| timechart count(method) AS Hits, count(certsFiled) AS Certs span=2min
| eval ratio=Certs/Hits
| where ratio < .01
<!--| where 1=1--></query>
<earliest>-5min@min</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
<refresh>30sec</refresh>
<refreshType>delay</refreshType>
<progress>
<condition match="'job.resultCount' > 0">
<set token="panel_show3">true</set>
</condition>
<condition>
<unset token="panel_show3"></unset>
</condition>
</progress>
</search>
Here is the alert.
Host3Count
index IN (catalina,solarisevents)
AND source=/logs/access
AND sourcetype=access_combined
AND host=host3*
AND JAR3
| timechart count span=1m
| delta count as dcount
| eval prevCount = count-dcount
| fields - dcount
| search prevCount > 100 and count < 20
The alert is scheduled; runs on corn; has trigger conditions and actions.
I want to reference the alert and all of the associated parameters (cron, etc.) from a dashboard panel. If the alert generates results, then that panel will be displayed (uses tokens and <panel depends="$panel_show3$">).
Stay safe and healthy, you and yours.
Thanks and God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the alert creates a job, the below two links may help.
This uses | rest /services/search/jobs
https://answers.splunk.com/answers/83436/dashboard-of-jobs.html
If it is a saved search, this may be better to look at
This uses | loadjob savedsearch="user:app:my_search"
https://answers.splunk.com/answers/260035/what-can-we-use-to-replace-loadjob-based-dashboard.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dashboards and alerts (imho) have different purposes and therefore answer different use cases. I can see how you would like to alert on certain conditions and then view the condition(s) metrics in a dasboard. I can also see how and why you would want to "dashboard" your alerts and report on them, but i am having hard time to understand your question / use case.
can you please elaborate? lets say you have a dashboard with 2 panels, and 2 alerts ... what exactly is the desired result? what are you trying to accomplish?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@adonio
Editing original question.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
