topic Re: Alert Configuration based on search results in Alerting

Alert Configuration based on search results

AdsicSplunk — Sun, 25 Mar 2018 10:21:50 GMT

Hi,

I want to setup an alert on my search given below:-

index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI

Alert Settings:-

Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once

Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text

Why is not the alert working? Could anyone help me with this?

Re: Alert Configuration based on search results

AdsicSplunk — Sun, 25 Mar 2018 12:19:57 GMT

The Crontab Expression got mistyped. It is "*/5 * * * *"

Re: Alert Configuration based on search results

rakshithreddy — Sun, 25 Mar 2018 16:02:14 GMT

Hi @AdsicSplunk

Splunk writes the logs about mail action in _Internal - python.log & about Scheduled Searches in _Internal - Scheduler.log to see why the alert is failing.

Thanks

Re: Alert Configuration based on search results

AdsicSplunk — Mon, 26 Mar 2018 04:25:59 GMT

Hi @rakshithreddy,

How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$

Re: Alert Configuration based on search results

AdsicSplunk — Mon, 26 Mar 2018 05:00:15 GMT

ConsumerName TotalHits ErrorCount
ABC          1179      269

If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.