Solved: Is there any way to send an email alert after a ce...

israalbo · ‎03-10-2020

I am displaying on a counter a value that basically counts the times a login has failed, but I would like to get an Email, every time that counter goes over 5, so that way I could monitor better what is going on or if it is an attack. Thank you!

gcusello · ‎03-10-2020

HI @israalbo,
you can use the same search to schedule an alert.
You have only to define:

frequency of execution,
time period of search,
threshold.

In the alert you can also set if the alert must be fired every time there's a value that exceed threshold or if there's a period, after alert, that the alert isn't executed again.

Ciao.
Giuseppe

View solution in original post

gcusello · ‎03-10-2020

HI @israalbo,
you can use the same search to schedule an alert.
You have only to define:

frequency of execution,
time period of search,
threshold.

In the alert you can also set if the alert must be fired every time there's a value that exceed threshold or if there's a period, after alert, that the alert isn't executed again.

Ciao.
Giuseppe

View solution in original post

israalbo · ‎03-10-2020

Hi, I am new at Splunk, let me get this straight, inside the search I can get a report by email? Do you have any extra information in order to accomplish that? I would be very thankful!

gcusello · ‎03-10-2020

HI @israalbo,
you can create your search and when you have to save it, you can choose as options:

an alert,
a dashboard panel,
a report.

if you choose Alert, Splunk opens a panel to set the alert options (frequency, activation, etc...) and the actions (email, script execution, etc...).

For more infos see at:
https://www.youtube.com/watch?v=0REbozaALX0
https://docs.splunk.com/Documentation/Splunk/8.0.2/Alert/Aboutalerts

Ciao.
Giuseppe

Is there any way to send an email alert after a certain value?