Re: How can I add a list of alerts I created in a ...

steeldol · ‎10-02-2015

Hello Everyone,

I have created 8 different alerts. I would like to display a list of these alerts in a panel in my dashboard. Is there a simple way I can do that? By the way, I’m a newbie splunker, so bear with me if I ask a lot of silly questions.

ziegfried · ‎10-02-2015

It's possible to list all alerts using the rest search command in SPL. Using this you can create a dashboard panel. Here's an example that lists all alerts, and also redirects to the alert details page when you click on a row:

<dashboard>
  <label>Alerts List in Dashboards</label>
  <row>
    <panel>
      <table>
        <title>Alerts</title>
        <search>
          <query>| rest /servicesNS/admin/search/saved/searches | where actions != "" OR 'alert.track'==1 | table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name</query>
          <earliest></earliest>
          <latest></latest>
        </search>
        <option name="drilldown">row</option>
        <fields>name,search</fields>
        <drilldown>
          <link>/app/search/alerts?s=%2FservicesNS%2F$row.owner$%2F$row.app$%2Fsaved%2Fsearches%2F$row.name$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</dashboard>

steeldol · ‎10-05-2015

Mr. Ziegfried, thank you so much for your reply. This is close to what i was looking for. Please let me know if what i did is possible. i grabbed the query you created with the REST command and ran it as a search in the search app. It returned a list which is exactly what I was looking for but the list seems to be displaying only alerts under one specific app - SA-Nix - and only for the admin owner. I only want to show the alerts i've created. I believe that the alerts I've created and my dashboard all are under the search app since what i'm basically doing is going into the search app, running a query and saving that to a dashboard.

somesoni2 · ‎10-05-2015

Use following version of the query to get savedsearches from search app and for currently logged in user (your).
Update:

| rest /servicesNS/-/search/saved/searches  | search actions != "" OR 'alert.track'==1 [| rest /services/authentication/current-context | search username!="splunk-system-user" | table username | rename username as owner ]| table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name

steeldol · ‎10-05-2015

Thank you very much for replying, somesoni2. Unfortunately, i ran this query in search and received a server error. Am I doing something wrong?

somesoni2 · ‎10-05-2015

I just updated my comments I believe some "*" were missing. try again

steeldol · ‎10-05-2015

Thanks again, somesoni2. I tried the updated query and I did not receive an error this time. Unfortunately, i received a "no results found" msg. Am I doing something wrong? All I am doing is copying your query and running it under a new search under the search app. Should this query allow me to do that? thanks again

ziegfried · ‎10-05-2015

| rest /servicesNS/-/-/saved/searches | where actions != "" OR 'alert.track'==1 | table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name| search [  rest /services/authentication/current-context/context | rename username as owner | return 1 owner ]

steeldol · ‎10-08-2015

Thanks again for getting back to me, Ziegfried. Sorry for the delayed response, I've been sick since Monday and hadn't had a chance to check my emails. I tried this query and again i'm receiving "no results found". Can this be an access issue?

How can I add a list of alerts I created in a panel on my dashboard?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?