Alerting

How do we turn off alert email from source type=ps

Alan_Bradley
Path Finder

We get an alert from sourcetype=ps as a result of running this save search: (authentication failure) OR (Account * too many attempts) OR (Failed password) startminutesago=5

We turned off the *nix app ps savedsearch but we still get the email. Here is the collapsed version of the alert:

9/2/09 2:01:55.000 PM ... 126 lines omitted ... nagios 7033 5 0.0 00:00:00 0.0 1216 54904 ? S 00:03 bash /usr/local/nagios/check_su_failures nagios 7038 3 75.3 00:00:02 0.0 400 49936 ? R 00:03 cat /var/log/messages nagios 7039 7 59.0 00:00:01 0.0 624 51096 ? R 00:03 grep authentication_failure nagios 7040 1 0.0 00:00:00 0.0 588 51096 ? S 00:03 grep root nagios 7041 5 0.0 00:00:00 0.0 572 51092 ? S 00:03 grep logapp-b

Tags (2)
0 Karma
1 Solution

matt
Splunk Employee
Splunk Employee

Try modifying your saved search to add a NOT statement for that sourcetype

View solution in original post

matt
Splunk Employee
Splunk Employee

Try modifying your saved search to add a NOT statement for that sourcetype

Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...