alert from dashboard, based on a column value

ramyaashok · ‎04-01-2020

Hi,
I have a dashboard, where in a column "status" have text with success or failed, i want to set up a alert for every 15 mins, if the value is failed. how can i achieve this in the XML code that i already have with dashboard.

gcusello · ‎04-01-2020

Hi @ramyaashok,
let me understand your need:

you want to insert one or more values in a text box of a dashboard,
search on events using the content of this text box every 15 minutes;

Is this correct?

You could put the values to search in a lookup and use it for the search:

you have to create a lookup (called e.g. my_lookup.csv) where there's only one field (called e.g. pattern);
if the value is in your events in one specified and fixed field (called e.g. my_field), run a search like this:

index=my_index [ | inputlookup my_lookup.csv | rename pattern AS my_field | fields my_field ]
if instead you don't have the value in your events in one specified and fixed field, run a search like this:

index=my_index [ | inputlookup my_lookup.csv | rename pattern AS query| fields query ]

Use this search to create your alert to schedule with the frequency you like (e.g. 15 minutes and fire everytime you have results.
If you like, you can also insert a threeshold adding at the end a condition:

| stats count
| where count>threeshold

or managing the threeshold in the alert.

Obviously, the first one is better!

Ciao.
Giuseppe

alert from dashboard, based on a column value

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life