Splunk Search

How to create a dashboard to track alert results by severity level?

yacht_rock
Explorer

I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.

If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?

I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?

0 Karma

sundareshr
Legend

Try this

index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT

jplumsdaine22
Influencer

Do you mean something like this?

SEVERITY       ALERT          IPS
----------------------------------------
MAJOR          alert_1         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
               alert_2         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5
MINOR          alert_3         192.168.1.1
                               192.168.1.2
                               192.168.1.3
                               192.168.1.4
                               192.168.1.5

If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .

0 Karma

yacht_rock
Explorer

Hi!

Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)

0 Karma

sk314
Builder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...