Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a Visualization that shows Dashboard Frequency of a Splunk Alert?

rthomas247
Engager
‎07-22-2021 07:38 AM

Hi,

I'd like to create a visualization that shows trends between alerts that have been fired. The graph will show the frequency of a given range of alerts and how often they was triggered on the source file.

 

Thanks,

Rob 

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2021 11:54 AM

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2021 05:43 AM

It's not clear to me exactly what you want, but I believe you should start with a list of fired alerts.  Get it with this query.

| rest/servicesNS/-/-/alerts/fired_alerts
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rthomas247
Engager
‎07-23-2021 10:43 AM

@richgalloway , Thanks for the quick turnaround.

I'd like to create a dashboard that shows me all my alerts that have fired over a given time period so I can gauge how often the alerts are fired compared to one another in a bar chart  | pie chart. I'm looking to optimize alerts that are fired too often. 

for example, if I have 100 alerts and 40 of them fire every 10m - 15m. I want to be able to focus these 40 alerts to determine if I can optimize the query, reduce duplications or sunset the alert if it is no longer needed. Ideally, I'd like to start with a line or bar chart once I can see the data perhaps choose another chart to better represent the data.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2021 11:54 AM

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

onurasln55
Explorer
‎12-31-2022 01:49 AM

There is no _internal index.  Could it be disabled by admin?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-31-2022 05:33 AM

There is always an _internal index.  It may be possible for an admin to rename it, but that would break so much stuff that it would be a crazy thing to attempt.

It's more likely you don't have access to _internal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rthomas247
Engager
‎08-03-2021 09:08 AM

Thanks! This is it!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...