- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get previous search results as a sub-search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, hope you can help me with this question.
What I'm trying to do is, given the information Splunk keeps about triggered alerts in index=_internal, create a dashboard with the alerts triggered in a period of time and, using the sid, get the actual results from that alert.
I'm using the following search to get the information about triggered alerts:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid
and I want to use the sid value returned to run a sub-search and get the actual values.
Something like this, if possible, would be great:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid | append [ loadjob sid ]
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case you haven't already checked it out have you seen the built in Triggered Alerts dashboard? https://your.splunk.instance:8000/en-US/alerts/search
For you own custom one You might be better off having one dashboard that lists all the alerts using your search, then have a dynamic drilldown that links to /app/search/search?q=|loadjob $relevantToken$
Have a look at the documentation and examples here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms
And for the token values you can use for your drill down see this section: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both options actually work, thanks for your comments. However, for my particular requirement, I ended up building a dynamic drill down using the SID.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case you haven't already checked it out have you seen the built in Triggered Alerts dashboard? https://your.splunk.instance:8000/en-US/alerts/search
For you own custom one You might be better off having one dashboard that lists all the alerts using your search, then have a dynamic drilldown that links to /app/search/search?q=|loadjob $relevantToken$
Have a look at the documentation and examples here: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms
And for the token values you can use for your drill down see this section: http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The map command might work in this case:
index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid | map [ | loadjob $sid$ ]
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map
You might also find this useful eventually:
map also supports a search id field, provided as $_serial_id$ which will have a number increemented for each run search. In other words, the first run search will have the value 1, and the second 2, and so on.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
