Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to see not fired alerts - SPL?

rafamss
Contributor
‎10-20-2020 11:24 AM

Hello everyone,

I have a good search (SPL) to see what was the last fired alerts but I don't have one to see what was not, do you how to do?

Regards,

Rafael Santos

Labels (1)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-20-2020 12:57 PM

Hi @rafamss ... lets say you have a simple log file containing the list of usernames(100 usernames=1 root, 99 non-root users). you created an alert for finding out if the username is equal to root. 

the alert will fire for that 1 root user and all else are the alert-not-fired condition. 

 

so, we can not find out or list down the alerts that are not fired. 

(if alert fired but email notification, no other actions, then, that can be troubleshooted.)

Reply

rafamss
Contributor
‎10-20-2020 01:21 PM

Hi @inventsekar,

Thank you for your answer. Well, I understand your point but what I want to do is display the list of alerts that weren't fired, for example:

An alert to send an email every time that a root account logs into a system, this alert needs to run every time and I want to know if the alert couldn't run.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...