Trigger condition

kulkarnivijay27 · ‎11-02-2023

Hi Team,

i have a basic search, where i need to alert when particular process name not available in raw data or last 15 minutes data. Plz suggest how to get the trigger.

Thanks,

Vijay K.

isoutamo · ‎11-02-2023

Hi

Splunk is not good to found something which is not existing 😞 Here is one blog post about it https://www.duanewaddle.com/proving-a-negative/ maybe it helps you.

Other ideas could be found from these

There are a lot of options for finding hosts or sources that stop submitting events:
- Meta Woot! https://splunkbase.splunk.com/app/2949/
- TrackMe https://splunkbase.splunk.com/app/4621/
- Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/
- Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/
Some helpful posts:
- https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe

r. Ismo

richgalloway · ‎11-02-2023

If you already have the search then click the "Save as" drop-down in the top-right corner of the window and choose "Alert". The trigger condition is set in the lower part of the subsequent form.

---
If this reply helps you, Karma would be appreciated.

Trigger condition

alert action

alert condition

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases