Alerting

Is it possible to create an email notification based off an error report?

cbiraris
Path Finder

Hello Team,

Is it possible to created error report to run every 30 minutes, but mail notification will be raised only if the ERROR  events are generated 20 in last 30 minutes.

Example:

Index=ABC sourcetype=XYZ  "ERROR"=999

I need help to created Report like this

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

as I said, you have to create two different ojects:

  • a report that is sent in every condition,
  • an alert that fires when there's your condition (count>20) and has as attachent the report.

They uses the same search, but the alert has the additional conditin count>20.

Ciao.

Giuseppe

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk calls such reports "alerts".

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

let me understand: you want to fire the alert if the alert was fired 20 times, is it correct?

In this case you have to create two alerts:

  1. the first has to check your condition and the only related action is to write an event in a summary index, no eMail,
  2. the second is on the summary index and checks if you had 20 alerts in the last 30 minutes and has the action to send the eMail.

Ciao.

Giuseppe

cbiraris
Path Finder

@gcusello  

Thank you for writing me back.

I want to created a report which will run every 30minutes. but if the ERROR events are 20 in last 30 minutes then its only trigger email notification  like alerts dose normally. 

I know it can be possible by lookup. but not sure how to created it . could you please help with sample_code and direction .

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris.

let me understand:

  • you need a report scheduled every 30 minutes to create every time,
  • then you need an alert than if you have more than 20 values has to send an eMail,

is it correct?

If this is your need, you can create two objects:

  • a report scheduled every 30 minutes,
  • an alert that fires if there are more than 20 values and sends an eMail.

Ciao.

Giuseppe

cbiraris
Path Finder

@gcusello 

Yes you are right. I need both Report and Alert. but If alert fires, email should contain report.

so, is it possible ?

Thank you 🙂    

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

as I said, you have to create two different ojects:

  • a report that is sent in every condition,
  • an alert that fires when there's your condition (count>20) and has as attachent the report.

They uses the same search, but the alert has the additional conditin count>20.

Ciao.

Giuseppe

cbiraris
Path Finder

Wow..! Thank you so much @gcusello 

its worked. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cbiraris,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

scelikok
SplunkTrust
SplunkTrust

Hi @cbiraris,

You can filter event count like below and save as an alert;

index=ABC sourcetype=XYZ "ERROR"=999 | stats count | search count>20

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...