Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a dashboard to track alert results by severity level?

yacht_rock
Explorer
‎06-21-2016 10:18 AM

I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.

If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?

I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?

0 Karma
Reply

sundareshr
Legend
‎06-22-2016 06:03 PM

Try this

index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT
Reply

jplumsdaine22
Influencer
‎06-22-2016 04:17 AM

Do you mean something like this?

SEVERITY       ALERT          IPS
----------------------------------------
MAJOR          alert_1         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
               alert_2         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
MINOR          alert_3         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5

If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .

0 Karma
Reply

yacht_rock
Explorer
‎06-22-2016 02:18 PM

Hi!

Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)

0 Karma
Reply

sk314
Builder
‎06-22-2016 02:38 PM

Have you looked at this app? https://splunkbase.splunk.com/app/2665/#/overview

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...