Alerting

How do i get all raw event in email when using per result throttling field.

raju4244
Explorer

Hi,

I have created an alert with a per result throttling field enabled. This is to get an alert in case of any bad login attempts by the same user, from the same desktop, and to the same destination for more than two times.

In the alert, i have chosen to get a raw event in my email. Whenever a bad login happens, i get an alert with the one line of raw event instead of three or more.

How do i get a all raw event data related to this alert by email?? or do we have any other option to get an email with all raw events whenever a bad login happens which suffices my requirement??

0 Karma

splunker12er
Motivator

Did u tried something like this , in your search query,

your_search_to_filter_bad_login_attempt| stats values(_raw) by _time

Or

 your_search_to_filter_bad_login_attempt| table field1, field2, field3 
0 Karma

raju4244
Explorer

Hi,

i can not uses second table options, as i require raw event.
First can be used, i need to try out.

I feel no issue with search result, as we are getting alert properly when the bad login happens.
Only thing is the report that comes in the mail does not have all raw event.

If there is a 5 bad login event, im expecting raw event of 5 line in the mail.

FYI, The following is my search queries, i have search queries with required fields, nothing more than that.

my_base_search_with_fields

It runs every 5 min, and Alert condition is If number of event is greater than 2 . Alert mode is once per result with throttling of 5 min and Field throttling with my fields (User,Server,IP).

When i use these throttling field i get only one raw event in mail when bad login happens and at the same time when i see the result it shows all the events properly.

I just want to know how do i get a all raw event in mail when throttling field is used???

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...