Alerting

How to run a scheduled reports but only if the search contains results?

stakor
Path Finder

I am looking to run a scheduled report, but I would like to only receive an email if the search powering the report has found something.

Can one accomplish such a thing?

If you are looking for people who visit test[.]com, and in the last week (Duration of the search), no one has gone there, then there should be no email. If someone has gone to test[.]com in the last week, then it should list their name, and send an email.

I don't know if conditional sending is available in Splunk or not.

0 Karma
1 Solution

jonmargulies
Path Finder

Change it to an alert. An alert in Splunk is basically just a report but with conditionals like the one you're talking about. One of the simplest ways to set an alert is to only email if the number of results is >0.

View solution in original post

jonmargulies
Path Finder

Change it to an alert. An alert in Splunk is basically just a report but with conditionals like the one you're talking about. One of the simplest ways to set an alert is to only email if the number of results is >0.

Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...