Alerting

How to see not fired alerts - SPL?

rafamss
Contributor

Hello everyone,

I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do?

Regards,

Rafael Santos

Labels (1)

inventsekar
SplunkTrust
SplunkTrust

Hi @rafamss ... lets say you have a simple log file containing the list of usernames(100 usernames=1 root, 99 non-root users). you created an alert for finding out if the username is equal to root. 

the alert will fire for that 1 root user and all else are the alert-not-fired condition. 

 

so, we can not find out or list down the alerts that are not fired. 

(if alert fired but email notification, no other actions, then, that can be troubleshooted.)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

rafamss
Contributor

Hi @inventsekar,

Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example:

An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...