Hi. I'm very much a novice when it comes to dashboards. I have to create a dashboard that monitors our alerts. I have created this report to use to start with. I have to add a field where a ticket number can be entered for each tripped alert. Also, I have to add a drop down for each alert for the ticket status (i.e. New, WIP, Closed).
Here is my search string for the dashboard panel that shows our alerts: index=_audit action=alert_fired | eval _time=trigger_time | convert timeformat="%+" ctime(_time) as trigger_time | table trigger_time ss_name severity alert_actions sid | eval severity = case(severity==1,"Informational",severity==2,"Low",severity==3,"Medium",severity==4,"High",severity==5,"Critical") | rename trigger_time as "Alert Time:", ss_name as "Alert Name:", severity as "Alert Urgency:", alert_actions as "Alert Actions:", sid as "SID:"
I'm open to suggestions for a better way to do this. Please keep in mind that we cannot install any Splunk apps as we are in a multi-tenancy environment and do not own the Enterprise Splunk instance.