Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Alerting per device

corwinz6
Explorer
‎08-22-2011 12:59 PM

Hello,

I have about 80 devices logging to Splunk and am in the process of trying to setup alerting for them. I would like for alerts to go off individually for each device when a event occurs. Is this possible without setting up alerts specific for each device? i.e. I have a search that runs every 5 minutes looking at the logs for the previous 6 minutes with: 

sourcetype=fortinet type=event status=failed and a custom condition of | stats count(Mgmt_IP) as attempts by devname | where attempts > 2

so that I am only looking at devices with a frequency of more than 2 login failures in the last 6 minutes. I know if I say devname=X in the search this will work, but I'd like to avoid having to create hundreds of alerts.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎08-22-2011 06:30 PM

Currently this is not possible - we are working on per result alerting and you should get your hands on it during our next major release (going into beta soon). In the mean time you can either process the search results inside your script (if using scripted alerts) or modify the sendemail search command to send out one email per result, see this for more info on how to modify sendemail

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎08-22-2011 06:30 PM

Currently this is not possible - we are working on per result alerting and you should get your hands on it during our next major release (going into beta soon). In the mean time you can either process the search results inside your script (if using scripted alerts) or modify the sendemail search command to send out one email per result, see this for more info on how to modify sendemail

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...