alert setup

koushik · ‎09-28-2020

I would like to setup 2 alerts whenever no hits during the period . one is peak hours from 6am-01am and another one is non peak hours 01am-6am

each alert should trigger every 30 mins during these period .

gcusello · ‎09-28-2020

Hi @koushik,

let me understand: why do you want two alerts if you have to check that you haven't logs in a period?

you could have two alerts if you have a different threeshold in the two periods, but you have to check only if there are logs, so I think that you don't need two alerts.

Anyway, if you want two alerts, you have to follow two times this procedure:

create the search using the timeframe you want in the alert (e.g. 30 minutes),
Save as - Alert
add the following infos:
- Title - mnemonic name of your alert,
- Description (optional) - a description of your alert to remember it,
- Permission: shared in App - kind of permission of your alert,
- Alert Type: Scheduled - don't use real time because it't too expensive in terms of resources
- Run on cron schedule - scheduling the alert execution
- Time range - 30 minutes
- Cron expression: */30 * * * * - it means run every 30 minuts
- Expires 24 hours - time that the search results are available
- trigger aler when Number of results - trigger condition
- is equal to 0 - trigger if no results
- trigger once - only one alert
- Trigger actions: Add alert - add the actions to associate to you alert (email, script, etc...), add always the "Add to triggered alerts" action
- Save

If you want two alerts, the only difference between them is the cron expression and/or eventually the message in the eMail:

*/30 1-6 * * *
*/30 7-24 * * *

Ciao.

Giuseppe

alert setup

alert action

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application