Alerting

Alert Configuration based on search results

AdsicSplunk
New Member

Hi,

I want to setup an alert on my search given below:-

index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI

Alert Settings:-

Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once

Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text

Why is not the alert working? Could anyone help me with this?

0 Karma

AdsicSplunk
New Member

The Crontab Expression got mistyped. It is "*/5 * * * *"

0 Karma

rakshithreddy
Explorer

Hi @AdsicSplunk

Splunk writes the logs about mail action in _Internal - python.log & about Scheduled Searches in _Internal - Scheduler.log to see why the alert is failing.

Thanks

0 Karma

AdsicSplunk
New Member

Hi @rakshithreddy,

How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$

0 Karma

AdsicSplunk
New Member
ConsumerName TotalHits ErrorCount
ABC          1179      269

If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...