topic Re: Why are the alerts not triggered any more? in Other Usage

Why are the alerts not triggered any more?

Ammar — Wed, 30 Aug 2023 16:30:19 GMT

Hi Guys,

am trying to configure Splunk to send me alerts through mobile when the requests against my web server are more than a specified value

i ran the search and it shows me the requests number and source IP but

i created an alert but this alert is not triggered at all(i viewed the triggered alerts menu and its empty) scheduled to one hour, number of results greater than 0 and selected actions Splunk secure gateway

my goal is send these events to my mobile and to SOAR when they greater than a value and configure playbook to automatically block the src_ip as its mostly performing a DoS attack

anybody can help me ?

host=192.168.1.1 "DST=192.168.1.174"|stats count(SRC) AS Requests BY SRC
|sort - Requests | where Requests>50

Re: Why are the alerts not triggered any more?

gcusello — Wed, 30 Aug 2023 22:36:33 GMT

Hi @Ammar,

let me understand: is your issue that the search doesn't find any result or that the search finds results but you don't have any action?

in the first case, you have to debug your search:

I see that you didn't used the index definition, if the index to use isn't in the default search path, you cannot find anything:

index=your_index host=192.168.1.1 "DST=192.168.1.174" | stats count AS Requests BY SRC | sort -Requests | where Requests>50

Then are you sure that in your logs you have a scring exaclty "DST=192.168.1.174"? this isn't a field definition used for the search: if you have the field DST (that usually is in lowercase!) you can use it without quotes.

in the second case, you have to check the response actions configuration, which one did you configured?

To be listed in the triggered alerts or to receive an email you have to configure this actions in the response actions, it isn't automatic by default.

Ciao.

Giuseppe

Re: Why are the alerts not triggered any more?

Ammar — Thu, 31 Aug 2023 15:47:20 GMT

thanks for the reply

the search finds results accurately

but when created alert with send to mobile , the alert will never be triggered despite when running the search query i get results

BTW the alert is configured on schedule not real-time

Re: Why are the alerts not triggered any more?

isoutamo — Fri, 01 Sep 2023 10:40:25 GMT

can you show how your Alert has configured.

You could also look from internal logs if that alert is run and if it raised or not.

Have you test that your email works from splunk? Easiest way to check it is add

.... | sendemail ....

after your query.

One comment for your SPL. It's better 1st select rows and then sort, that way it's more efficient.

... | where Requests > 50 | sort 0 - Requests

Is better way. Also if there could be huge amount of those then you need 0 with sort to sort all not only XXX events.

r. Ismo

Re: Why are the alerts not triggered any more?

Ammar — Fri, 01 Sep 2023 15:53:42 GMT

hey,

thanks for the reply

i figured out that what was causing this is the mobile action in the alert

when i configured the alert to send action via Email it worked!

i don't know why sending push notification to mobile is not working although its configured on my splunk mobile app correctly and on Splunk Secure Gateway!

thank you for mentioning the email action to me

Re: Why are the alerts not triggered any more?

gcusello — Tue, 05 Sep 2023 06:24:15 GMT

Hi @Ammar ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉