Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing results in Splunk Alert Email

vdhiman63
Engager
‎10-28-2021 07:19 AM

Hello Splunk Community !

I have an alert setup to report failed login attempts by a user > 4 times in 5 minutes.
Alert query :
index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _time| stats count dc(user) by _time, user, Logon_Type,dest, src, Failure_Reason | where count > 3 | sort user | table _time, user, count, Logon_Type,dest, src, Failure_Reason

Alert settings:

Alert Type: Scheduled. Hourly, at 0 minutes past the hour.
Trigger Condition: Number of Results is > 0

Issue : the last time this alert ran, i got results only from 3 PM attempts.
the alert PDF did not report the results from 2:55 PM.

Actual Query result:

vdhiman63_0-1635430679430.png

 

Alert PDF that came in email:

vdhiman63_1-1635430694883.png

Any idea why the complete results were not shown from 2:55 PM when the alert triggered at the hour ? 

Labels (3)
0 Karma
Reply

vdhiman63
Engager
‎10-29-2021 06:52 AM

Thank you iam trying to check the logs. How can i verify the number of results in this message : 

event_message
user=" ", app="search", savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins", status=delegated_remote_completion, scheduled_time=1635418800, member_guid=246-1311-453B-B4C8-727D1A, member_label="SH005", member_URI="https://10....", sid=scheduler__search__RMD57367c0d1d64e89d1_at_1635418800_55813_7EA1D246-1311-453B-B4C8-727D1A477CE1, success=1

0 Karma
Reply

somesoni2
Revered Legend
‎10-29-2021 07:39 AM

Search this and look for field result_count.

index=_internal sourcetype=scheduler status=success savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins"

 

 

0 Karma
Reply

somesoni2
Revered Legend
‎10-28-2021 11:16 AM

Check the scheduler logs (index=_internal sourcetype=scheduler savedsearch_name=YourAlertName) to confirm the number of result. Also, consider allowing some breathing space between the alert schedule and time range. Instead of using Basic schedule

Alert Type: Scheduled.

Run at Cron scheduleHourly: 3 * * * * (every hour at 3 min past the hour)

Time Range: -1h@h to @h (last full hour)
Trigger Condition: Number of Results is > 0

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...