Hello splunk users,
I am around for a bit working with splunk mainly creating and testing alerts. Recently, I started to be more demanding regarding the management of e-mail alerts.
To give some insight here, I've created an alert which is triggered when more than 4 password failures take place on one of my routers.
This e-mail alert returns me the person's name, IP and how many failures. However, I also want to have the router name in the table and other fields as well.
For the time, I have spotted the sendemail.py. But it is much complicated for me as I don't know where to look exactly.
Any suggestions are welcome!
Evang
Hi evang_26,
there is no need to edit sendemail.py for that, just change your saved search to meet your requirement - this means you add to the result table of your existing saved search the fields for router name and any other fields you need to be in the alert. Set the alert to display the result inline and you're done.
hope this helps ...
cheers, MuS
Hi evang_26,
there is no need to edit sendemail.py for that, just change your saved search to meet your requirement - this means you add to the result table of your existing saved search the fields for router name and any other fields you need to be in the alert. Set the alert to display the result inline and you're done.
hope this helps ...
cheers, MuS
if it was helpful please accept the answer, thanks
Thank you all and sorry for the "wrong" alert!
Cheers
glad to help, I'm sure you will find the problem 😉
MuS,
Yes it is syslog. Well, it seems that it is extracted finally. The reason why I thought it doesn't work was because I cannot see anything of it. Imagine, that at the end what I want to list is a table with user,ip and hostname.
I used commands such as "fields", "table" and others. In any case, not all of the fields are appearing to have information. Sometimes host field is empty, some others user field is empty etc.
Maybe my problem lies somewhere there.
Thanks,
Evang
looks like syslog so Splunk will extract the hostname automatically as field hostname=myhostname1.net
Linu and somesoni, sorry for the delay. A sample output is provided below.
< Jan 14 12:12:18 myhostname1.net Jan 14 12:12:18.351 2014 myhostinterface1.eth sshd[21523]: Failed password for WIN\user from 200.200.200.200 port 6666 ssh2 >
The difficult here, as I think it again, is how to extract the hostname using regex since different routers have different initials. The only similar part is the ".net".
However, you just spark some thoughts inside me.
Any suggestions though?
Thanks,
Evang
Could you post some sample logs for "Failed password..." events. Based on that only we can suggest/point you to what to extract.
What Mus is suggesting, the way you have extracted the fields from the events like the user,ip,port, the same you can include the router and the other field's info.
Hi all,
To give a bit more detailed situation there, here is alert structure:
< index="routers" "Failed password for" | rex "Failed password for (win\\|WIN\\)?(?
The above returns a table with fields User, IP, and Count. I want to also have the router name and maybe other fields as well.
Thanks,
Evang
in this case use rex as well to get/extract fields like router name and others from your raw events first. then you can use them in the alert.
Hi MuS,
I really appreciate your prompt response. Thank you for taking the pain I was going through the sendemail.py. However, neither now I can do what I wish. I am constricted to have in the table, only the fields extracted by the "rex" command.
How can I take also fields such as the router name and others?
Thank you,
Evang