Hi all, hope you can help me with this question.
What I'm trying to do is, given the information Splunk keeps about triggered alerts in index=_internal, create a dashboard with the alerts triggered in a period of time and, using the sid, get the actual results from that alert.
I'm using the following search to get the information about triggered alerts:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid
and I want to use the sid value returned to run a sub-search and get the actual values.
Something like this, if possible, would be great:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid | append [ loadjob sid ]
Thanks for your help.
Just in case you haven't already checked it out have you seen the built in Triggered Alerts dashboard? https://your.splunk.instance:8000/en-US/alerts/search
For you own custom one You might be better off having one dashboard that lists all the alerts using your search, then have a dynamic drilldown that links to /app/search/search?q=|loadjob $relevantToken$
Have a look at the documentation and examples here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms
And for the token values you can use for your drill down see this section: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown
Both options actually work, thanks for your comments. However, for my particular requirement, I ended up building a dynamic drill down using the SID.
Just in case you haven't already checked it out have you seen the built in Triggered Alerts dashboard? https://your.splunk.instance:8000/en-US/alerts/search
For you own custom one You might be better off having one dashboard that lists all the alerts using your search, then have a dynamic drilldown that links to /app/search/search?q=|loadjob $relevantToken$
Have a look at the documentation and examples here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms
And for the token values you can use for your drill down see this section: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown
The map command might work in this case:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid | map [ | loadjob $sid$ ]
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map
You might also find this useful eventually:
map also supports a search id field, provided as $_serial_id$ which will have a number increemented for each run search. In other words, the first run search will have the value 1, and the second 2, and so on.