Alerting

How can I show every alert notification in a dashboard?

noybin
Communicator

Hello,

I've created a Dashboard in which I am showing every triggered alert by searching in: index=_audit action=alert_fired

I am having a problem with the alerts I've set to notify by email "for each result". These alerts are shown just once in my dashboard and I need to see every as many alerts in the Dashboard as notifications I've received.

Can you help me achieving this?
Thank's in advance

0 Karma

adonio
Ultra Champion

hello there,
just tested the condition you are describing and seems like it is working fine, i set an alert to run real time on a condition that is being met constantly and have it send an email for every result and i see the events correctly in the _audit index. can you confirm you did not throttle alerts (read here: http://docs.splunk.com/Documentation/Splunk/6.6.2/Alert/ThrottleAlerts) and you receive multiple emails and only one event for the alert?
regardless, i have a workaround that might help you with your dashboard. create a small index for alerts and name it. now, when saving an alert, add the "Log Event" alert action to your alerts. fill all the right fields, see screenshot: and now you will have an easy way to create nice reports and dashboards on all your alerts as they will be logged in the new index
alt text

hope it helps

0 Karma

noybin
Communicator

Hi, thank's for your response.

I don't have throttle enabled. The notifications are received (by email) correctly "for each result".
My problem is that I can not list those triggered alerts "for each result in a report" because in the _audit index each alert is only logged once.

I can neither use the alternative of "Log Event" action because the client is using Splunk 6.1.4 and that action doesn't exist in that version.
They can not upgrade because they don't own the License Master which is in that version.

Any other alternative?

Thank's again.
Regards

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...