topic Re: Splunk Alerting in Alerting

Splunk Alerting

praneethlekkala — Mon, 08 Mar 2021 07:07:19 GMT

I am trying to create a splunk alert, which sends an email if a key value is missing.

host="myhost" sourcetype="access_log" "Key_Word in the access logs'"

Usually i get the log entries every 30 mins, i want to get alerted via an email if "Key_Word in the access logs" is missing from the access logs, can someone guide me on this?

Re: Splunk Alerting

gcusello — Mon, 08 Mar 2021 07:22:35 GMT

Hi @praneethlekkala,

it's easy:

open the app where you want to locate your alert,
open search form,
run your search, using the time range you want in the alert (e.g. last 30 minutes),
click on "Save as" and then "Alert",
insert the infos requested in the form:
- alert title,
- permissions "Shared in App",
- scheduled: "Run on cron schedule",
- check the Time Range,
- use the correct cron schedule: */30 * * * *
- Number of results=0
- Trigger once,
- throttle (if you want to disable your alert for a period after triggering),
- Add action:
  - Add to triggered alerts,
  - Send email,
- Add the infos of the alert email,
- save it.

Ciao.

Giuseppe

Re: Splunk Alerting

manjunathmeti — Mon, 08 Mar 2021 07:25:30 GMT

Check below docs:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/Emailnotification

https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens

Re: Splunk Alerting

praneethlekkala — Mon, 08 Mar 2021 12:21:34 GMT

Thanks!! let me try this..

Re: Splunk Alerting

praneethlekkala — Mon, 08 Mar 2021 12:22:04 GMT

Thanks

Re: Splunk Alerting

gcusello — Tue, 09 Mar 2021 07:57:40 GMT

Hi @praneethlekkala,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉