Solved: Alert needs to be configured if there is no logs f...

anandhalagaras1 · ‎10-16-2020

Hi Team,

I want to schedule an alert something like there is no event for a particular index for more than 15 minutes it should trigger an email notification to our team.

For example: Index= os

So kindly help with the query is setting up the same.

gcusello · ‎10-16-2020

Hi @anandhalagaras1,

you should schedule an alert, tu run every 15 minutes, running a search like this:

index=os earliest=-15m@m latest=now

that has as activation condition results=0ans as action send email.

In other words:

run the above search,
click on "Save as Alert",
insert the informations requested:
- cron */15 * * * *
- activation for results=0
- action=send eMail.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-16-2020

Hi @anandhalagaras1,

you should schedule an alert, tu run every 15 minutes, running a search like this:

index=os earliest=-15m@m latest=now

that has as activation condition results=0ans as action send email.

In other words:

run the above search,
click on "Save as Alert",
insert the informations requested:
- cron */15 * * * *
- activation for results=0
- action=send eMail.

Ciao.

Giuseppe

gcusello · ‎10-27-2020

Hi @anandhalagaras1,

good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Alert needs to be configured if there is no logs for an index

alert condition

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...