topic Re: How to generate an alert based on new database table entry? in All Apps and Add-ons

How to generate an alert based on new database table entry?

cjs1031 — Fri, 10 Mar 2017 18:59:25 GMT

I am new to Splunk, very green. I have a DB search that I need to run and I have the search string I need but when I setup an alert, the alert is checking the results and sending them all to me. Basically, each time a new entry hits that table I need it to send me an email with just the new entrie(s). I imagine this is very simple to do but again, I am green. Here is my string.

index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login

Re: How to generate an alert based on new database table entry?

the_wolverine — Tue, 29 Sep 2020 13:10:56 GMT

Trying specifying a timerange either in your query syntax, then schedule the search to run every hour:

e.g.
index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 earliest=-1h latest=now | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login

In configuration, set the alert to email when there are greater than 0 events.

Re: How to generate an alert based on new database table entry?

cjs1031 — Tue, 29 Sep 2020 13:11:01 GMT

Hi thanks!

Actually I found more to this, so there is a different column I need to base this on "create_date". So I think you are on the right track so something like this:
index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 create_date="" | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login,create_date

What can I do with the "create_date" to pickup the newest creation date when this job runs every 5mins?