I have a basic alert setup to trigger whenever i have 3 or more failed sql logins - as follows:
sourcetype="WinEventLog:Application "EventCode=18456" | stats count by sql_login_name | search count > 2
An email is then sent out alerting the db admins about the event.
I have played around with the new alert config using the token feature in order to draw in other variables related to the issues but to no avail.
is it possible to drop the results of the following stats command into the email body or is there another approach i could use? The end game is to have a table pushed out inside the email listing the criteria below as well as the triggered event.
| stats list(sql_login_name) by SourceName, login_source host
Have something like this in your savedsearches.conf to send the results inline in the email.
[YourSavedSearchName] action.email = 1 action.email.to = Your@email.list action.email.cc = Your@email.list action.email.subject = YourSubject action.email.format = html action.email.sendresults = 1 action.email.inline = 1 action.email.ttl = 10 ...Other properties .... ....
Thanks for the response somesoni2 but i already figured that piece out. My query was in relation to how the list was presneted within the email.
I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".
Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?
Please be sure to accept your answer so others with similar issues/questions will be more likely to refer to this post for help. Thanks!
You might need to edit the sendemail.py file under your app/bin directory to accommodate your search results.
using stats command in the savedsearch for alerting sometimes will ignore the results...
search for the below stanza in your sendemail.py file... and modify this file..