Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Creating a custom SOC monitoring dashboard using triggered alerts

aferns0804
Engager
‎03-24-2021 10:03 AM

index=_audit action=alert_fired ss_app="Threats_App"
| eval ttl=expiration-now()
| search ttl>0
| convert ctime(trigger_time)
| sort - trigger_time
| table trigger_time ss_name severity
| rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity"

I created a dashboard, panel with above query in it. It is looking for triggered alerts from my app. I want to display the results(stats) of the triggered alerts in a different panel below that in the same dashboard. 

so its like " here are the alerts fired and when u click the alert name, it shows the stats(results) of that alert. Implementing this , I can see multiple alerts and the results of those alerts in the same dashboard" 

I do not want to install additional apps, so please help me with this query only. Please do not suggest apps for a simple solution. Thanks 

 

 

Labels (1)
Labels
0 Karma
Reply

aferns0804
Engager
‎03-24-2021 12:29 PM

aferns0804_0-1616613803021.png

I have this panel which keeps updating with new alerts(query posted in my earlier post). When I click on the alert, it should show me events on the same dashboard. 

 

0 Karma
Reply

impurush
Contributor
‎03-24-2021 10:59 AM

Hi @aferns0804 ,

I understand 50% of your question, but I did not get what you are referring the result(stats) of the alert means?

To implement the concept, you can use the drildown option for the respective panel to populate the token value and create a another panel which will use this token as input in the query.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...