Alerting

How to see not fired alerts - SPL?

rafamss
Contributor

Hello everyone,

I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do?

Regards,

Rafael Santos

Labels (1)

inventsekar
Ultra Champion

Hi @rafamss ... lets say you have a simple log file containing the list of usernames(100 usernames=1 root, 99 non-root users). you created an alert for finding out if the username is equal to root. 

the alert will fire for that 1 root user and all else are the alert-not-fired condition. 

 

so, we can not find out or list down the alerts that are not fired. 

(if alert fired but email notification, no other actions, then, that can be troubleshooted.)

rafamss
Contributor

Hi @inventsekar,

Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example:

An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...