Alerting

Creating Alerts When You Don't Know What to Search For??

Rayj00
New Member

I'm a newbe with Splunk. So, if an event never happened before (like failed authentication for instance), Splunk obviously does not have it indexed. How do I set up an alert if a failed authorization happens, say, 10 times in 5 minutes?

Thanks,

Ray

Tags (2)
0 Karma

Rayj00
New Member

I guess my problem is getting the correct information when events haven't happened yet.
So, how do I know what to trigger on when an event has not happened yet?

Thanks,

Ray

0 Karma

Brian_Osburn
Builder

If it's a common application (such as say windows login) you can google for the exception. Or, if it's an homegrown app, ask your developers.

0 Karma

sfleming
Splunk Employee
Splunk Employee

If there's a field in your data that represents auth status (success, etc.), you can set up your search using the != operator. (not equal to)

... myAuthStatusField!=success

Or, if you know what the value WOULD be for a failed login, it's better to be specific and use

... myAuthStatusField=failed (or denied, or whatever the value would potentially be)

Then set your search schedule to run every 5 minutes for a time range of the last 5 minutes. Set your alert conditions to "if number of events is greater than 9".

If you don't have that field defined and haven't extracted a new field before, you can read the full documentation here: http://docs.splunk.com/Documentation/Splunk/4.2.3/User/ExtractNewFields

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...