Search code examples
splunk

Filter alerts in splunk's UI and share result

At my company we've got almost a thousand alerts in splunk and I would like to be able to provide a link to certain alerts only (their names start with the same prefix).

I'd hope to be able to add query-params to the url (/alerts) - but couldn't find anything.

Any possibilities?

Solution

  • Just had the same issue/question, but I may have found an answer.

    you can use something like this:

    https://your-Splunk-host/en-US/app/search/alerts?search="your alert prefix * your-alert-suffix"

    which is almost equivalent to first starting in https://your-Splunk-host/en-US/app/search/alerts and then entering in the filter the text your alert prefix * your-alert-suffix

    The result will not be based of thousands of items and will show only what fits, example:

    7 Alerts
your alert prefix one: your-alert-suffix
your alert prefix second example: your-alert-suffix
your alert prefix -third- your-alert-suffix
your alert prefix 4th your-alert-suffix
your alert prefix blah-blah your-alert-suffix
your alert prefix  your-alert-suffix
your alert prefix last your-alert-suffix

    I figured this out by

    • luck, using another page where I saw search as a parameter, and luckily, it is usable in the alerts page too, although it's going away from the URL after the page starts to load
    • looking with Web-Dev-Tool at the call being made and seeing that within the search there is something similar to a usual spunk query - value from search param is placed after an AND - e.g.: ) AND "My Alert Prefix * my-suffix" AND ((eai:acl.sharing="user" AND eai:acl.owner="my_user_name")

    If you want to be more permissive with your search, you may use it without apostrophes ", and that would search each term separated by space, to be included, just like usual Splunk search queries, because this is used in the background.

    Example: https://your-Splunk-host/en-US/app/search/alerts?search=My terms in URL will do in the background something like AND My terms in URL AND ((eai:acl.sharing="user" AND eai:acl.owner="my_user_name"), thus, having more results than query AND "My terms in URL" AND

    After figuring this out, I noticed that the search from the URL(e.g. search/alerts?search="your alert prefix * your-alert-suffix") is a bit more inclusive than the search in the page's filter, and for my case, using the URL, the result had 37 items, while, using the filter in the page had 36 items,

    but still, the URL result is good enough, as it avoided, loading in the first time a list based on more than 3000 results, like Mr. Gung wanted to avoid almost a thousand alerts