Looking for a Splunk Jedi Master to shed some light on my failing alert.
I have no problem setting up an alert such as the following (for instance to see when I receive emails from *@splunk.com)
index=mail sourcetype="mail" sender=*@splunk.com| stats values(sender) |sendemail to= ....
alert settings are:
real-time
per-result
send email
The problem is when I create an alert with the same settings for the following:
index=mail
[search index=mail sourcetype=mail
[search index=main sourcetype=A eventtype=a suser=* | dedup suser | fields suser| rex field=suser "<(?<attacker>[\w\d\.\-\@]+)>" | eval sender=lower(attacker) |table sender]
|stats count by internal_message_id | table internal_message_id]
|eval Time=strftime(_time, "%H:%M") | eval Date=strftime(_time, "%F") | stats list(*)
when I run the second alert manually I get results, and when I add the sendmail to... I get the results mailed, but when I create the alert and verify that it is running 100%, I get nothing.
Does anyone have some suggestions or a check list on how to determine where in the complex subsearch (second code) I went wrong?
Thank you!
This is how I would do (these steps are assuming you're creating the alert by saving the search using "Save As" OR updating the existing Alert from Alerts dashboard (Your app-> Navigation Menu-> Alerts)
Search: Use your current search
Alert Type: Scheduled
Time range: -6m@m to -1m@m
Schedule (cron): 1-59/5 * * * *
Trigger Condition: Number of events > 0
Enable Actions: Send Email (setup to, subject,email options per your need)
Action Options :
When triggered, execute actions : Per result
This is how I would do (these steps are assuming you're creating the alert by saving the search using "Save As" OR updating the existing Alert from Alerts dashboard (Your app-> Navigation Menu-> Alerts)
Search: Use your current search
Alert Type: Scheduled
Time range: -6m@m to -1m@m
Schedule (cron): 1-59/5 * * * *
Trigger Condition: Number of events > 0
Enable Actions: Send Email (setup to, subject,email options per your need)
Action Options :
When triggered, execute actions : Per result
have not tested it yet, waiting for something to roll in and trigger it, but I think you are right (as usual), thank you.
not sure how you saved your alert, (we could be on different versions) but I edited my alert via app: search&reporting>alerts
I think I got everything correct, only difference is the "Time range:" -6m@m to -1m@m
should I change mine, see below?
Settings
Alert [name]
Alert type Scheduled
Run on Cron Schedule
earliest -6m
latest -1m
cron expression 1-59/5****
Trigger Conditions
Trigger alert when Number of Results is greater than 0
Trigger For each result
Thank you
Any specific reason for running a real-time scheduled search? What I mean to say is that you can run a historical search more frequently instead of a real-time search, provided 1-5 min latency is acceptable to you.
OK, I wanted a real-time search but I obviously must not be doing it right.
Can you send me your suggested settings so I don't muck it up?
Thank you!
What is the time range/time window you're currently using?
Currently using "all time (real-time)" when I view the alert by Open in Search
I can live with a few minute delay like checking every 5 minutes... just not sure how to set it all up
is this what you are suggesting?
Alert Type:
Real-time. Edit
Trigger Condition:
Number of Results is > 0 in 5 minutes. Edit
Actions:
1 Action
Send email
Edit