- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Splunk send alert if event count reaches some valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk send alert if event count reaches some value with server which has that value.
Hi,
I want to search for an event "failure" from multiple hosts, and want splunk to send alert if count of events is greater than some value , along with which server has crossed that value.
The server name with number of count should be in mail alert.
Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Validate that where condition should have the count of failure threshold and report threshold should be one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Navigate to the Search page in the Search and Reporting app.
- Create a search.
- Select Save As>Alert.
- Enter a title and optional description.
- Specify permissions.
- Configure alert scheduling. There are two options for scheduling.
- Configure trigger conditions.
- (Optional) Configure a trigger throttling period.
- Select one or more alert actions that should happen when the alert triggers.
- Click Save
here is the docs page for related example: http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Alertexamples
For more details on all different kinds of alerts and options go though alerting documentation
http://docs.splunk.com/Documentation/Splunk/7.1.1/Alert/Aboutalerts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just setup an alert with search similar to this and when setting up the email alert action, include the search result, inline or as attachment.
index=foo sourcetype=bar "Your Failure Criteria"
| stats count by host | where count>YourThresholdValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
works perfect, what if you had multiple fields? So, a condition happens say 100 times, but must happen on 10 different hosts as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
yes i have that.
But my requirement is that in the mail should have only that server which has met search criteria.
and no others.
Suppose I have three servers A,B,C. and only c has met condition, so in mail only c server should be there. Like C server has crossed the threshold.
and other should not be there in mail as they have not met the threshold limit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey validate that you have failure threshold at where and alert threshold is 1.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
