Dashboards & Visualizations

Create a Visualization that shows Dashboard Frequency of a Splunk Alert?

rthomas247
Engager

Hi,

I'd like to create a visualization that shows trends between alerts that have been fired. The graph will show the frequency of a given range of alerts and how often they was triggered on the source file.

 

Thanks,

Rob 

Labels (3)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear to me exactly what you want, but I believe you should start with a list of fired alerts.  Get it with this query.

| rest/servicesNS/-/-/alerts/fired_alerts
---
If this reply helps you, Karma would be appreciated.
0 Karma

rthomas247
Engager

@richgalloway , Thanks for the quick turnaround.

I'd like to create a dashboard that shows me all my alerts that have fired over a given time period so I can gauge how often the alerts are fired compared to one another in a bar chart  | pie chart. I'm looking to optimize alerts that are fired too often. 

for example, if I have 100 alerts and 40 of them fire every 10m - 15m. I want to be able to focus these 40 alerts to determine if I can optimize the query, reduce duplications or sunset the alert if it is no longer needed. Ideally, I'd like to start with a line or bar chart once I can see the data perhaps choose another chart to better represent the data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.
0 Karma

onurasln55
Explorer

There is no _internal index.  Could it be disabled by admin?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is always an _internal index.  It may be possible for an admin to rename it, but that would break so much stuff that it would be a crazy thing to attempt.

It's more likely you don't have access to _internal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rthomas247
Engager

Thanks! This is it!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...