Alerting

How do we turn off alert email from source type=ps

Path Finder

We get an alert from sourcetype=ps as a result of running this save search: (authentication failure) OR (Account * too many attempts) OR (Failed password) startminutesago=5

We turned off the *nix app ps savedsearch but we still get the email. Here is the collapsed version of the alert:

9/2/09 2:01:55.000 PM ... 126 lines omitted ... nagios 7033 5 0.0 00:00:00 0.0 1216 54904 ? S 00:03 bash /usr/local/nagios/check_su_failures nagios 7038 3 75.3 00:00:02 0.0 400 49936 ? R 00:03 cat /var/log/messages nagios 7039 7 59.0 00:00:01 0.0 624 51096 ? R 00:03 grep authentication_failure nagios 7040 1 0.0 00:00:00 0.0 588 51096 ? S 00:03 grep root nagios 7041 5 0.0 00:00:00 0.0 572 51092 ? S 00:03 grep logapp-b

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Try modifying your saved search to add a NOT statement for that sourcetype

View solution in original post

Splunk Employee
Splunk Employee

Try modifying your saved search to add a NOT statement for that sourcetype

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!