Triggered Alert Analytics

Primary Dashboards

Contains alert analytics for both triggered alerts and saved searches. Please replace $name$ with the saved search naming convention you utilize (ie. 0001 – AlertName).

You will need an outputlookup to generate the bottom two tables; it will be based on the query that generates the second table in the dashboard.

<form theme="dark">
<label>Triggered Alert Analytics</label>
<description>Metrics tracker for triggered alerts.</description>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>alert_fired count for Triggered Alerts</title>
<input type="time" token="upperTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Dashboard for counting per-alert totals, contingent on alerts having the 'Alert Action: Add to Triggered Alerts'</title>
<search>
<query>index=_audit action=alert_fired ss_app=* ss_name="$name$" 
| timechart span=1d sum(triggered_alerts) by ss_name useother=f limit=0 
| sort -count</query>
<earliest>$upperTime.earliest$</earliest>
<latest>$upperTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">log</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">preview</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">ss_name</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>All Modified Alerts (-7d)</title>
<input type="time" token="lowerTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<table>
<search>
<query>| rest /servicesNS/-/-/saved/searches 
| search title="$name$" 
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| table title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">10</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">preview</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">true</option>
<option name="wrap">false</option>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Daily Alert Modification Report</title>
<search ref="Daily Alert Modification Report"></search>
<option name="drilldown">none</option>
</table>
</panel>
<panel>
<table>
<title>From 'all_modified_alerts.csv'</title>
<search>
<query>| from lookup:all_modified_alerts.csv</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="count">1</option>
<option name="drilldown">cell</option>
<option name="totalsRow">true</option>
</table>
</panel>
</row>
</form>

Report Referenced Above (all_modified_alerts.csv)

| rest /servicesNS/-/-/saved/searches 
| search title=*
| rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" 
| eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") 
| eval identifierDate=now()
| convert ctime(identifierDate) AS identifierDate
| table identifierDate title lastUpdated, nextRunTime, emailTo action.lookup.filename, query, severity
| fillnull value="" 
| sort -lastUpdated
Share This:

Leave A Comment?