Dashboards & Visualizations

Dashboard Frequency of a Splunk Alert

rthomas247
Engager

Hi,

I'd like to create a visualization that shows trends between alerts that have been fired. The graph will show the frequency of a given range of alerts and how often they was triggered on the source file.

 

Thanks,

Rob 

Labels (3)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear to me exactly what you want, but I believe you should start with a list of fired alerts.  Get it with this query.

| rest/servicesNS/-/-/alerts/fired_alerts
---
If this reply helps you, an upvote would be appreciated.
0 Karma

rthomas247
Engager

@richgalloway , Thanks for the quick turnaround.

I'd like to create a dashboard that shows me all my alerts that have fired over a given time period so I can gauge how often the alerts are fired compared to one another in a bar chart  | pie chart. I'm looking to optimize alerts that are fired too often. 

for example, if I have 100 alerts and 40 of them fire every 10m - 15m. I want to be able to focus these 40 alerts to determine if I can optimize the query, reduce duplications or sunset the alert if it is no longer needed. Ideally, I'd like to start with a line or bar chart once I can see the data perhaps choose another chart to better represent the data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

rthomas247
Engager

Thanks! This is it!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!