I have multiple alerts, each at different severity levels. The output of these alerts are fields like source, destination IP, and user.
If I want a dashboard that shows me the top 5 source IPs by severity by alert, for example - or anything other sort of 'count by (field) over (alert name) by (severity)' type logic - what are the Splunk mechanisms to do so?
I can't map out in my mind what is the best way to get the alert NAME, alert RESULTS, and alert SEVERITY in one place that a user can search against on demand?
Try this
index=yourindex | stats values(IPS) as IPS by SEVERITY ALERT
Do you mean something like this?
SEVERITY ALERT IPS
----------------------------------------
MAJOR alert_1 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
alert_2 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
MINOR alert_3 192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
If not can you demonstrate the table you want to achieve? Also if you can post a sample of what your events look like that would help .
Hi!
Yes, a table like that is exactly what I'm looking for. I was experimenting with a summary index via | collect index=alert_summary at the end of each alert's SPL, then using a data model to calculate a "severity" field based on search_name (the field 'search_name' is auto-added into the summary index along with my alert's results)
Have you looked at this app? https://splunkbase.splunk.com/app/2665/#/overview