Splunk Search

showing alerts on the primary search head

aaronkorn
Splunk Employee
Splunk Employee

Hello,

We have a primary alerting server that only us admins manage to setup alerts which sends out snmp traps of triggered alerts. Is there a way to show these triggered alerts on a different server? For example, we are seeing them fine on our alerting server under triggered events but would just like the triggered alerts to show up on the search head where users are actually logging into.

Thanks!

0 Karma
1 Solution

lguinn2
Legend

AFAIK, you can't tell Splunk to do this directly - there is no conf file where you can tell Splunk where to post alerts.

But, you can add a script to every alert - the script should write the alert content to a log file. Then have your indexers index this file, and you can write dashboards, reports, etc. that you can run from any search head. You could also implement your own notification scheme, etc - limited only by your imagination and available time.

Since you are already generating SNMP traps, I assume that you could just adapt your existing scripts to include this.

View solution in original post

lguinn2
Legend

AFAIK, you can't tell Splunk to do this directly - there is no conf file where you can tell Splunk where to post alerts.

But, you can add a script to every alert - the script should write the alert content to a log file. Then have your indexers index this file, and you can write dashboards, reports, etc. that you can run from any search head. You could also implement your own notification scheme, etc - limited only by your imagination and available time.

Since you are already generating SNMP traps, I assume that you could just adapt your existing scripts to include this.

aaronkorn
Splunk Employee
Splunk Employee

Thanks, I didnt think it was possible but I figured I would ask anyways. Our script that sends the snmp traps to netcool also writes it to a log file. I guess we could just ingest that log and create a dashboard from it. Thanks, problem solved!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...