Dashboards & Visualizations

Create a Visualization that shows Dashboard Frequency of a Splunk Alert?

rthomas247
Engager

Hi,

I'd like to create a visualization that shows trends between alerts that have been fired. The graph will show the frequency of a given range of alerts and how often they was triggered on the source file.

 

Thanks,

Rob 

Labels (3)
Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear to me exactly what you want, but I believe you should start with a list of fired alerts.  Get it with this query.

| rest/servicesNS/-/-/alerts/fired_alerts
---
If this reply helps you, Karma would be appreciated.
0 Karma

rthomas247
Engager

@richgalloway , Thanks for the quick turnaround.

I'd like to create a dashboard that shows me all my alerts that have fired over a given time period so I can gauge how often the alerts are fired compared to one another in a bar chart  | pie chart. I'm looking to optimize alerts that are fired too often. 

for example, if I have 100 alerts and 40 of them fire every 10m - 15m. I want to be able to focus these 40 alerts to determine if I can optimize the query, reduce duplications or sunset the alert if it is no longer needed. Ideally, I'd like to start with a line or bar chart once I can see the data perhaps choose another chart to better represent the data.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps this search will be more helpful.

index=_internal sourcetype=Scheduler thread_id="AlertNotifier*" alert_actions=* NOT (alert_actions="summary_index" OR alert_actions="") 
| timechart count by savedsearch_name
---
If this reply helps you, Karma would be appreciated.
0 Karma

onurasln55
Explorer

There is no _internal index.  Could it be disabled by admin?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is always an _internal index.  It may be possible for an admin to rename it, but that would break so much stuff that it would be a crazy thing to attempt.

It's more likely you don't have access to _internal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rthomas247
Engager

Thanks! This is it!

0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...