Dashboards & Visualizations

alert from dashboard, based on a column value

ramyaashok
New Member

Hi,
I have a dashboard, where in a column "status" have text with success or failed, i want to set up a alert for every 15 mins, if the value is failed. how can i achieve this in the XML code that i already have with dashboard.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ramyaashok,
let me understand your need:

  • you want to insert one or more values in a text box of a dashboard,
  • search on events using the content of this text box every 15 minutes;

Is this correct?

You could put the values to search in a lookup and use it for the search:

  • you have to create a lookup (called e.g. my_lookup.csv) where there's only one field (called e.g. pattern);
  • if the value is in your events in one specified and fixed field (called e.g. my_field), run a search like this:

    index=my_index [ | inputlookup my_lookup.csv | rename pattern AS my_field | fields my_field ]

  • if instead you don't have the value in your events in one specified and fixed field, run a search like this:

    index=my_index [ | inputlookup my_lookup.csv | rename pattern AS query| fields query ]

Use this search to create your alert to schedule with the frequency you like (e.g. 15 minutes and fire everytime you have results.
If you like, you can also insert a threeshold adding at the end a condition:

| stats count
| where count>threeshold

or managing the threeshold in the alert.

Obviously, the first one is better!

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...