Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a dashboard to track alert results by severity level?

yacht_rock
Explorer
‎06-21-2016 10:18 AM

I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.

If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?

I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?

0 Karma
Reply

sundareshr
Legend
‎06-22-2016 06:03 PM

Try this

index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT
Reply

jplumsdaine22
Influencer
‎06-22-2016 04:17 AM

Do you mean something like this?

SEVERITY       ALERT          IPS
----------------------------------------
MAJOR          alert_1         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
               alert_2         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
MINOR          alert_3         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5

If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .

0 Karma
Reply

yacht_rock
Explorer
‎06-22-2016 02:18 PM

Hi!

Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)

0 Karma
Reply

sk314
Builder
‎06-22-2016 02:38 PM

Have you looked at this app? https://splunkbase.splunk.com/app/2665/#/overview

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
Top