I have created 8 different alerts. I would like to display a list of these alerts in a panel in my dashboard. Is there a simple way I can do that? By the way, I’m a newbie splunker, so bear with me if I ask a lot of silly questions.
It's possible to list all alerts using the
rest search command in SPL. Using this you can create a dashboard panel. Here's an example that lists all alerts, and also redirects to the alert details page when you click on a row:
<dashboard> <label>Alerts List in Dashboards</label> <row> <panel> <table> <title>Alerts</title> <search> <query>| rest /servicesNS/admin/search/saved/searches | where actions != "" OR 'alert.track'==1 | table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name</query> <earliest></earliest> <latest></latest> </search> <option name="drilldown">row</option> <fields>name,search</fields> <drilldown> <link>/app/search/alerts?s=%2FservicesNS%2F$row.owner$%2F$row.app$%2Fsaved%2Fsearches%2F$row.name$</link> </drilldown> </table> </panel> </row> </dashboard>
Mr. Ziegfried, thank you so much for your reply. This is close to what i was looking for. Please let me know if what i did is possible. i grabbed the query you created with the REST command and ran it as a search in the search app. It returned a list which is exactly what I was looking for but the list seems to be displaying only alerts under one specific app - SA-Nix - and only for the admin owner. I only want to show the alerts i've created. I believe that the alerts I've created and my dashboard all are under the search app since what i'm basically doing is going into the search app, running a query and saving that to a dashboard.
Use following version of the query to get savedsearches from search app and for currently logged in user (your).
| rest /servicesNS/-/search/saved/searches | search actions != "" OR 'alert.track'==1 [| rest /services/authentication/current-context | search username!="splunk-system-user" | table username | rename username as owner ]| table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name
Thank you very much for replying, somesoni2. Unfortunately, i ran this query in search and received a server error. Am I doing something wrong?
Thanks again, somesoni2. I tried the updated query and I did not receive an error this time. Unfortunately, i received a "no results found" msg. Am I doing something wrong? All I am doing is copying your query and running it under a new search under the search app. Should this query allow me to do that? thanks again
| rest /servicesNS/-/-/saved/searches | where actions != "" OR 'alert.track'==1 | table title search eai:acl.app eai:acl.owner | rename eai:acl.* as * title as name| search [ rest /services/authentication/current-context/context | rename username as owner | return 1 owner ]
Thanks again for getting back to me, Ziegfried. Sorry for the delayed response, I've been sick since Monday and hadn't had a chance to check my emails. I tried this query and again i'm receiving "no results found". Can this be an access issue?