Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Newly created Sourcetype should alert in Splunk Alerts

anandhalagarasa
Path Finder
‎10-22-2019 06:12 AM

Hi Team,

I have a requirement that to ingest a particular logs from a client machine so I have created a custom app with inputs in place. i.e. with source & sourcetype. Here sourcetype i have created newly as abcd. And I have pushed the custom app from Deployment server which in turn its getting applied to indexers and the log has been ingested into Splunk Cloud.

My query is that for each and every sourcetype which we create newly should be reported to Security Operations team so that they will keep track of it.

For example if a new sourcetype has been created and deployed from our end then the same day or the consecutive day an email has to be triggered to Security Operations team.

So what would be the search query to fetch the data.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2019 06:43 AM

Hi anandhalagarasan,
if you want a daily check you could schedule an alert running e.g. at 00.15 with a search like this one:

index=_internal earliest=-d@d latest=@d
| stats dc(date_mday) AS count_day max(date_mday) AS day BY sourcetype
| eval checkdate=if(day=tonumber(strftime(now(),"%d"))-1,"OK","NOK")
| where checkdate="OK" AND count_day>1

Remember that it isn't a good idea to have too many sourcetypes and that all the knowledhe object (as fields, tags, eventtypes, etc...) are related to sourcetype, so if you continuosly add new ones it's more difficolut to use them.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...