Solved: Why is one of my email alert fields blank?

SecureIA · ‎01-14-2016

I am alerting on a failed login search provided below:-

host=CATSG14 "Failed login" GATEWAY="" USER_IDv3=""| stats count by USER_IDv3

I would like my email alert to say:

The alert condition for '$name$' was triggered.

User $result.USER_IDv3$ is having trouble accessing the $GATEWAY$ gateway.

The email picks out the USER_IDv3 field, but leaves the GATEWAY field blank. Is there anyway to grab the GATEWAY field?

javiergn · ‎01-14-2016

That's because your stats does not return the GATEWAY name and therefore is not part of the results.

Try this instead:

host=CATSG14 "Failed login" GATEWAY="*" USER_IDv3="*"| stats count by USER_IDv3, GATEWAY

Keep in mind you'll need to use $result. GATEWAY$ and not $GATEWAY$ in your alert by the way

javiergn · ‎01-14-2016

That's because your stats does not return the GATEWAY name and therefore is not part of the results.

Try this instead:

host=CATSG14 "Failed login" GATEWAY="*" USER_IDv3="*"| stats count by USER_IDv3, GATEWAY

Keep in mind you'll need to use $result. GATEWAY$ and not $GATEWAY$ in your alert by the way

Why is one of my email alert fields blank?