Alerting

Email Notification

kehnerm
Engager

How do I set up an email notification that is triggered by a user add/update/delete/activate?

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can do that in 3 steps.

1) Verify the user add/update/delete/activate events are indexed in Splunk.

2) Search the appropriate index for the events.

3) When you have search results you like, select "Alert" from the Save As menu.  Complete the form and select "Send email" from the Trigger Actions menu.

---
If this reply helps you, Karma would be appreciated.

kehnerm
Engager

@richgalloway thank you for the quick response.  I'm new to Splunk and need to set up an email notification.  I've been working through documentation for several days now, and I'm still not getting this done.

Would you please tell me how to accomplish this?

1) Verify the user add/update/delete/activate events are indexed in Splunk.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Your problem is not well-defined.

Splunk can only search (and alert based on) events that are in splunk. It's not clear whether you are trying to find added/changed/whatever _Splunk users_ (which should be at least partially achievable, but approach to this task can differ based on whether you have 9.x Splunk version which has _configtracker index or earlier one) or if you want to find in your Splunk data info about user accounts from other systems. In the latter case you need to have the information from those systems ingested into Splunk first in order to be able to find anything.

isoutamo
SplunkTrust
SplunkTrust

Hi

you also must have working email sending feature configured on your splunk. You could test this with command sendemail like

index=*
| head 1
| stats count
| sendemail to="<your email address>" subject="Testing Splunk email sending" 

If this send email to you, then email sending is configured and in use. Otherwise your Splunk admin needs to configure it with your organisation email operator.

After that you could use email action on Alert configuration.

r. Ismo 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Just remember that in order to use sendemail command you need the schedule_search capability (yes, it's a bit counterintuitive)

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...