Solved: Alert needs to be configured if there is no logs f...

anandhalagaras1 · ‎10-16-2020

Hi Team,

I want to schedule an alert something like there is no event for a particular index for more than 15 minutes it should trigger an email notification to our team.

For example: Index= os

So kindly help with the query is setting up the same.

gcusello · ‎10-16-2020

Hi @anandhalagaras1,

you should schedule an alert, tu run every 15 minutes, running a search like this:

index=os earliest=-15m@m latest=now

that has as activation condition results=0ans as action send email.

In other words:

run the above search,
click on "Save as Alert",
insert the informations requested:
- cron */15 * * * *
- activation for results=0
- action=send eMail.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-16-2020

Hi @anandhalagaras1,

you should schedule an alert, tu run every 15 minutes, running a search like this:

index=os earliest=-15m@m latest=now

that has as activation condition results=0ans as action send email.

In other words:

run the above search,
click on "Save as Alert",
insert the informations requested:
- cron */15 * * * *
- activation for results=0
- action=send eMail.

Ciao.

Giuseppe

gcusello · ‎10-27-2020

Hi @anandhalagaras1,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Alert needs to be configured if there is no logs for an index

alert condition

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?