Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a dashboard to track alert results b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a dashboard to track alert results by severity level?
yacht_rock
Explorer
06-21-2016
10:18 AM
I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.
If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?
I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
06-22-2016
06:03 PM
Try this
index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jplumsdaine22
Influencer
06-22-2016
04:17 AM
Do you mean something like this?
SEVERITY ALERT IPS
----------------------------------------
MAJOR alert_1 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
alert_2 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
MINOR alert_3 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yacht_rock
Explorer
06-22-2016
02:18 PM
Hi!
Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
06-22-2016
02:38 PM
Have you looked at this app? https://splunkbase.splunk.com/app/2665/#/overview
Get Updates on the Splunk Community!
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
