Solved: How can I have one query for both a dashboard and ...

tb5821 · ‎02-19-2019

I want to have a query on my dashboard and also an alert for the same query but when it comes to updates. I don't want to have to update it in two places... what's the best way to accomplish this?

gcusello · ‎02-19-2019

Hi tb5821,
did you tried with a macro?
in other words: create a macro and use it both in dashboard and alert.
In this way you have only one point to manage.
Bye.
Giuseppe

View solution in original post

gowtham495 · ‎02-21-2019

See if you can do this way :

Create a Report with your search query and schedule it.
Create a Dashboard and add a panel containing that Report.
In Dashboard, Export >> Schedule PDF Delivery >> here you can edit settings like that of an alert (for ex: to, cc, cron, message, etc..)

This way, at the time of any updates, you can edit the Report alone. Other things will be automatically taken care of.

tb5821 · ‎02-21-2019

Looks like going this route doesn't allow for the 'scheduled report' to support Trigger Conditions or throttling of the report alert like it would with a 'regular' alert.

gcusello · ‎02-19-2019

Hi tb5821,
did you tried with a macro?
in other words: create a macro and use it both in dashboard and alert.
In this way you have only one point to manage.
Bye.
Giuseppe

How can I have one query for both a dashboard and an alert?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio