Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Alert Configuration based on search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alert Configuration based on search results
Hi,
I want to setup an alert on my search given below:-
index="foo" source="/servers/logs/access.log" | rex "\"(?<ConsumerIP>[^\"]+)\"\s+(?<RequestTime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})\s(?<HttpMethod>[^\s]+)\s(?<EndpointURI>[^\s]+)\s(?<ResponseCode>\d+)\s(?<ServerInfo>[^\s]+)\s(?<GatewayIP>[^\s]+)\s(?<Ecid>[^\s]+)\s(?<ResponseTime>.+)" | stats count as TotalHits by EndpointURI
Alert Settings:-
Alert: DOH-PersonProfile Alert
Description:Optional
Alert type: Scheduled
Run on Cron Schedule
Time Range: Last 1 day
Cron Expression: */5 * * * *
Trigger Conditions
Trigger alert when Custom search count>1000
Trigger: Once
Trigger Actions
When triggered
Send emai To abc@company.com
Priority: High
Subject: Splunk Alert: $result.TotalHits$
Total number of requests received are : $requests.TotalHits$
Type: HTML & Plain Text
Why is not the alert working? Could anyone help me with this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Crontab Expression got mistyped. It is "*/5 * * * *"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AdsicSplunk
Splunk writes the logs about mail action in _Internal - python.log & about Scheduled Searches in _Internal - Scheduler.log to see why the alert is failing.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rakshithreddy,
How to fetch the value of TotalHits in the mail? Is this correct - $requests.TotalHits$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ConsumerName TotalHits ErrorCount
ABC 1179 269
If my query result is as above, how can I fetch the value of TotalHits? Please help anyone.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
