Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Alerting
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: similar alerts have several behaviours
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
acalvo
Explorer
03-22-2011
04:54 PM
When defining different alerts in the etc/user/admin/search/local/savedsearches.conf, some of them work and some don't. However, searches work for all of them and list events as expected.
Example that works:
[alert1]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "RCG" OR componentsc = "AS" OR componentsc = "VCS") AND actionsc = "ECPRO"
Example that does not work:
[alert2]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = mymail@mail.com
alert.expires = 7d
alert.suppress = 0
alert.suppress.period = 20s
alert.track = 1
alert.severity = 4
counttype = number of events
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt-30s
enableSched = 1
quantity = 0
relation = greater than
search = (componentsc = "AS" OR componentsc = "VCS" OR componentsc = "RCG") AND actionsc = "RBACA" AND (outcomesc = "001" OR outcomesc = "010")
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
02-25-2014
12:38 PM
The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:
alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto - determine whether to track or not based on the tracking setting of each action,
* do not track scheduled searches that always trigger actions.
* true - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
02-25-2014
12:38 PM
The issue was probably the value set to 1 not recognized. Per saved searches.conf.spec:
alert.track = true | false | auto
* Specifies whether to track the actions triggered by this scheduled search.
* auto - determine whether to track or not based on the tracking setting of each action,
* do not track scheduled searches that always trigger actions.
* true - force alert tracking.
* false - disable alert tracking for this search.
* Defaults to auto.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
acalvo
Explorer
03-24-2011
12:03 PM
Nevermind, the error was alert.track = 1, it should be alert.track = auto
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
