Alerting

Help! Alert for 'Results greater than zero' is triggering but not sending e-mail. E-mail settings ARE correct!

Path Finder

Please help!!!!!!

tag=taggedservers EventCode=4624 OR EventCode=4634 OR EventCode=4647 OR EventCode=4625 OR EventCode=4778 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 (user=user1 OR user=user2 OR user=user3 OR user=user4) (LogonType=2 OR LogonType=10)| table time src srcip user host EventCodeDescription

I would like to create an alert that triggers when the results are greater than zero whenever user1/2/3/4 attempts to log in to any of the tagged servers using interactive or RDP log in types.

I CAN get this to trigger if I add stats count on to the end and by adding the custom trigger of ' search count > 0' BUT this only sends an e-mail with count = * and NOT the information required in a table as shown in the search. This is with Inline table selected also within the e-mail configuration.

If I look in the schedule.logs it shows that the scheduled search runs and that results_count = 20 (or whatever) but STILL no e-mail!!

If I add the manual e-mail send syntax to the search and run the search then it sends the e-mail fine. Other alerts using the same mail server are working without issue.

I just really am at my wits end here trying to figure this out.

Any help would be GREATLY appreciated.

Thanks in advance,

Rob.

0 Karma
1 Solution

Legend

At first enable two actions related to your alert:
- send email
- list alert in triggered alerts
in this way you can check if your alert was really triggered.

If this is true, verify your email configuration (especially the destination addresses) and verify if the result of your search is too large to be in eMail body, or the attached if too large for your eMail provider.
The main difference (related to this problem obviously) between the result of stats count and table is usually the result dimension.

In addition, You can check Splunk's log in $SPLUNK_HOME/var/log/splunk/splunkd.log and verify if there was a problem in email sending, for example a too large body message is logged in this file.

Bye.
Giuseppe

View solution in original post

Legend

At first enable two actions related to your alert:
- send email
- list alert in triggered alerts
in this way you can check if your alert was really triggered.

If this is true, verify your email configuration (especially the destination addresses) and verify if the result of your search is too large to be in eMail body, or the attached if too large for your eMail provider.
The main difference (related to this problem obviously) between the result of stats count and table is usually the result dimension.

In addition, You can check Splunk's log in $SPLUNK_HOME/var/log/splunk/splunkd.log and verify if there was a problem in email sending, for example a too large body message is logged in this file.

Bye.
Giuseppe

View solution in original post

Path Finder

I currently have the following set in the alert settings:

Alert type: Scheduled - Run on Cron Sched Earliest -16m@m Latest -1m@m Cron Exp */15 * * * * (may miss the first asterisks on here due to format but it IS there)
Trigger alert when number of results is greater than zero. Trigger once.

The search itself returns results. This is set to run on cron sched every 15 minutes. I can see results from the search but it seems nothing is triggered by results greater than zero...Argh!!!

0 Karma