Alerting

How to see not fired alerts - SPL?

rafamss
Contributor

Hello everyone,

I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do?

Regards,

Rafael Santos

Labels (1)

inventsekar
Super Champion

Hi @rafamss ... lets say you have a simple log file containing the list of usernames(100 usernames=1 root, 99 non-root users). you created an alert for finding out if the username is equal to root. 

the alert will fire for that 1 root user and all else are the alert-not-fired condition. 

 

so, we can not find out or list down the alerts that are not fired. 

(if alert fired but email notification, no other actions, then, that can be troubleshooted.)

>>> Happy Splunking !

rafamss
Contributor

Hi @inventsekar,

Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example:

An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!