Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert when user is log off

ajromero
Path Finder
‎06-15-2021 03:53 PM

I need to get an alert when a user is log off from a server, here is my query

index="wineventlog" user="*.COM" OR user="*"
| head 1 | eval age = now() - _time
|table _time user name

Then I'm setting a custom alert to

ajromero_0-1623797502045.png

but I don't get any alert

Thank you,

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-17-2021 06:54 PM

Hi @ajromero I don't find age field in your table command, there could be other reasons.

  • age > 900 condition might not met, you can try same query in UI with | where age > 900 at the end exactly select time similar to schedule window. Lower age threshold and retry.
  • Your role/user assigned to these alerts to run alerts might not be having schedule search capability. You can run following query to find out what exactly happening with your search

 

index=_internal sourcetype="scheduler" savedsearch_name=<your_search_name>​

 

  • While configuring alert in UI ,Trigger Action under Alerts should be selected to Email and provide the correct email
  • could be issues while sending email to SMTP server , you can verify here. 

 

index=_internal source="/opt/splunk/var/log/splunk/python.log" subject="<your_email_subject>" sendemail ERROR​

 

----------

An upvote would be appreciated if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-15-2021 05:25 PM

Hi @ajromero 

Can you try this works? added age field to table command.

index="wineventlog" user="*.COM" OR user="*"
| head 1 | eval age = now() - _time
|table _time user name age

----

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

ajromero
Path Finder
‎06-17-2021 07:51 AM

Hi,

I already have the age field in the table and it doesn't do it

index="wineventlog" user="*.COM" OR user="*"
| head 1 | eval age = now() - _time
|table _time user name

 

thanks

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-17-2021 06:54 PM

Hi @ajromero I don't find age field in your table command, there could be other reasons.

  • age > 900 condition might not met, you can try same query in UI with | where age > 900 at the end exactly select time similar to schedule window. Lower age threshold and retry.
  • Your role/user assigned to these alerts to run alerts might not be having schedule search capability. You can run following query to find out what exactly happening with your search

 

index=_internal sourcetype="scheduler" savedsearch_name=<your_search_name>​

 

  • While configuring alert in UI ,Trigger Action under Alerts should be selected to Email and provide the correct email
  • could be issues while sending email to SMTP server , you can verify here. 

 

index=_internal source="/opt/splunk/var/log/splunk/python.log" subject="<your_email_subject>" sendemail ERROR​

 

----------

An upvote would be appreciated if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...