Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Include more info fields in e-mail alerts

evang_26
Communicator
‎01-14-2014 02:30 AM

Hello splunk users,

I am around for a bit working with splunk mainly creating and testing alerts. Recently, I started to be more demanding regarding the management of e-mail alerts.

To give some insight here, I've created an alert which is triggered when more than 4 password failures take place on one of my routers.
This e-mail alert returns me the person's name, IP and how many failures. However, I also want to have the router name in the table and other fields as well.

For the time, I have spotted the sendemail.py. But it is much complicated for me as I don't know where to look exactly.

Any suggestions are welcome!
Evang

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎01-14-2014 03:22 AM

Hi evang_26,

there is no need to edit sendemail.py for that, just change your saved search to meet your requirement - this means you add to the result table of your existing saved search the fields for router name and any other fields you need to be in the alert. Set the alert to display the result inline and you're done.

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎01-14-2014 03:22 AM

Hi evang_26,

there is no need to edit sendemail.py for that, just change your saved search to meet your requirement - this means you add to the result table of your existing saved search the fields for router name and any other fields you need to be in the alert. Set the alert to display the result inline and you're done.

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

MuS
Legend
‎01-14-2014 06:43 AM

if it was helpful please accept the answer, thanks

0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎01-14-2014 06:40 AM

Thank you all and sorry for the "wrong" alert!

Cheers

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-14-2014 05:56 AM

glad to help, I'm sure you will find the problem 😉

0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎01-14-2014 05:47 AM

MuS,

Yes it is syslog. Well, it seems that it is extracted finally. The reason why I thought it doesn't work was because I cannot see anything of it. Imagine, that at the end what I want to list is a table with user,ip and hostname.
I used commands such as "fields", "table" and others. In any case, not all of the fields are appearing to have information. Sometimes host field is empty, some others user field is empty etc.

Maybe my problem lies somewhere there.

Thanks,
Evang

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-14-2014 05:33 AM

looks like syslog so Splunk will extract the hostname automatically as field hostname=myhostname1.net

0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎01-14-2014 05:29 AM

Linu and somesoni, sorry for the delay. A sample output is provided below.

< Jan 14 12:12:18 myhostname1.net Jan 14 12:12:18.351 2014 myhostinterface1.eth sshd[21523]: Failed password for WIN\user from 200.200.200.200 port 6666 ssh2 >

The difficult here, as I think it again, is how to extract the hostname using regex since different routers have different initials. The only similar part is the ".net".

However, you just spark some thoughts inside me.

Any suggestions though?

Thanks,
Evang

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-14-2014 04:15 AM

Could you post some sample logs for "Failed password..." events. Based on that only we can suggest/point you to what to extract.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎01-14-2014 04:11 AM

What Mus is suggesting, the way you have extracted the fields from the events like the user,ip,port, the same you can include the router and the other field's info.

Reply
Solved! Jump to solution

evang_26
Communicator
‎01-14-2014 04:04 AM

Hi all,

To give a bit more detailed situation there, here is alert structure:

< index="routers" "Failed password for" | rex "Failed password for (win\\|WIN\\)?(?.) from (?.) port (?.*) ssh2" | stats count by user,IP | search count >4 | where user !="NULL" >

The above returns a table with fields User, IP, and Count. I want to also have the router name and maybe other fields as well.

Thanks,
Evang

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-14-2014 03:48 AM

in this case use rex as well to get/extract fields like router name and others from your raw events first. then you can use them in the alert.

0 Karma
Reply
Solved! Jump to solution

evang_26
Communicator
‎01-14-2014 03:41 AM

Hi MuS,

I really appreciate your prompt response. Thank you for taking the pain I was going through the sendemail.py. However, neither now I can do what I wish. I am constricted to have in the table, only the fields extracted by the "rex" command.

How can I take also fields such as the router name and others?

Thank you,
Evang

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...