https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211574#M3780 <P>Done <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 23 Sep 2016 11:56:09 GMT soniquella 2016-09-23T11:56:09Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211566#M3772 <P>Good morning.</P> <P>I am trying to create an e-mailed alert for when specific user accounts attempt a remote(logon_type=10) or interactive (logon_type=2) attempt to log in to specific servers( tag=taggedservers)</P> <P>My search returns a number of results for the last 24 hours (set) but I would like to receive an e-mailed alert each time a new log in from one of the user accounts is attempted.</P> <P>The lookup referred to is to show logon_type description in tabled results.</P> <P>This is my search syntax:</P> <P>tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=adminuser1 OR user=adminuser2 OR user=adminuser3 OR user=adminuser4) ((Logon_Type=2 OR Logon_Type=10)) | lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc</P> <P>How do I create an alert without using realtime selection, each time one of the admin users attempts connections to my tagged servers? If you have any suggestions for improvements to the search then I would be grateful to hear.</P> <P>Any help would be appreciated.</P> <P>Thanks,</P> <P>Rob.</P> Tue, 29 Sep 2020 11:08:23 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211566#M3772 soniquella 2020-09-29T11:08:23Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211567#M3773 <P>i am not sure of this requirement, but i assume, you wanted email notifications related to this search. <BR /> you can save this search query as an alert (a scheduled alert), setup a cron schedule for how frequent this query should run, then you can enable an email alert, when the search query returns the expected results. </P> <P>Create scheduled alerts - <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts">http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification">http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification</A></P> <P><STRONG>Update -</STRONG> <BR /> Sorted. Changed search to earliest=-15m@m and then scheduled a cron job to run every 15 minutes and alert if stats count &gt; 0.</P> Fri, 23 Sep 2016 09:32:25 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211567#M3773 inventsekar 2016-09-23T09:32:25Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211568#M3774 <P>Thanks for you response. My issue is that I do not want this to run at scheduled set time periods but rather a 'live' response. Due to the secure nature of the servers in question, I need to be alerted immediately when one of these accounts attempts connection. Thanks, Rob.</P> Fri, 23 Sep 2016 09:49:55 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211568#M3774 soniquella 2016-09-23T09:49:55Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211569#M3775 <P>ok then, you can choose <STRONG>real-time alerts</STRONG> - </P> <P>Use a real-time alert to monitor events or event patterns as they happen. You can create real-time alerts with per-result triggering or rolling time window triggering. Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert when possible.<BR /> <STRONG>Create a real-time alert with per-result triggering</STRONG><BR /> Real-time alerts with per-result triggering are sometimes known as "per-result alerts". This alert type and triggering use a continuous real-time search to look for events. Each search result triggers the alert.</P> <P>Caution: In a high availability deployment, use per-result triggering with caution. If a peer is not available, a real-time search does not warn that the search might be incomplete. It is recommended to use a scheduled alert for this deployment.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/DefineRealTimeAlerts">http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/DefineRealTimeAlerts</A></P> Fri, 23 Sep 2016 10:04:05 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211569#M3775 inventsekar 2016-09-23T10:04:05Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211570#M3776 <P>Thank you. I did also try this but seemed to be immediately flooded with historical event alerts rather than new alerts from new log ins. I'll give it a read through and see if I missed something.</P> <P>I do appreciate your assistance with this.</P> <P>Cheers.</P> Fri, 23 Sep 2016 10:08:47 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211570#M3776 soniquella 2016-09-23T10:08:47Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211571#M3777 <P>if you want this to work only for new events, then, maybe, you can add earliest and latest fields - <BR /> for example - <CODE>earliest=-5m@m latest=now</CODE></P> <P>tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=adminuser1 OR user=adminuser2 OR user=adminuser3 OR user=adminuser4) ((Logon_Type=2 OR Logon_Type=10)) <CODE>earliest=-5m@m latest=now</CODE> | lookup LogonTypeLookups.csv Logon_Type OUTPUT Logon_Desc</P> Tue, 29 Sep 2020 11:05:14 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211571#M3777 inventsekar 2020-09-29T11:05:14Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211572#M3778 <P>Sorted. Changed search to earliest=-15m@m and then scheduled a cron job to run every 15 minutes and alert if stats count &gt; 0.<BR /> Thank you very much for your help with this.</P> Fri, 23 Sep 2016 11:52:57 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211572#M3778 soniquella 2016-09-23T11:52:57Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211573#M3779 <P>Great.. can you please mark this as accepted answer, and few upvotes <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 23 Sep 2016 11:54:51 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211573#M3779 inventsekar 2016-09-23T11:54:51Z https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211574#M3780 <P>Done <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 23 Sep 2016 11:56:09 GMT https://community.splunk.com/t5/Alerting/Exponential-alerting-How-to-setup-a-1-event-alert/m-p/211574#M3780 soniquella 2016-09-23T11:56:09Z