Solved: Re: Is there a way of making an Alert condition co...

SwatiApte · ‎02-19-2015

We have used a Search string in the Alert condition, which triggers an Alert if some count goes beyond a particular threshold, say 50. What should be done if we want a User to be able to modify this threshold manually, via a Dashboard? Can a token from a Dashboard be passed to an Alert condition?

PPape · ‎02-19-2015

I have done this with an lookup file.

created it in the dashboard via | outputlookup and used the | inputlookup in the alert search.

View solution in original post

PPape · ‎02-19-2015

I have done this with an lookup file.

created it in the dashboard via | outputlookup and used the | inputlookup in the alert search.

SwatiApte · ‎02-19-2015

Using a look-up though, is it possible to keep a track of all modifications to the thresholds?

MuS · ‎02-20-2015

use summary indexes for this or be patient.....there will be an awesome app available which can handle such things 😉

SwatiApte · ‎02-20-2015

Haha 🙂 Hmm...summary index is another great option, thanks..!

markthompson · ‎02-20-2015

Hey SwatiApte, using output input lookup tables simply creates a CSV file which, if you wanted to you could input and then display in a table.
What Ppape is saying is if you create the dashboard and the alert, but set the alert to input the CSV and get the latest value from it.

SwatiApte · ‎02-20-2015

Thanks Mark, what I meant was, using an Output Look-up, we are creating (or replacing) a CSV file each time the User modifies a threshold using an Input on the dashboard, so is there no way I could keep a track of what modifications were made to the look-up file and by whom?

Swati

SwatiApte · ‎02-19-2015

Oh okay, perfect! Thanks!

Is there a way of making an Alert condition configurable so a user can modify a threshold on a dashboard?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?