All Apps and Add-ons

Custom Email Alert Based On 15 Minutes Search

farrukhahmed
Explorer

Hello,

I am trying to send custom email alert if there is any SQL Injection has been done on our Websites.

`fidelis_get_xps_event` | search tag=initial_compromise | eval Severity=lower(Severity) | table _time Target Severity AlertId hostIp eventtype | search eventtype="incoming_sql_injection"  | chart dc(AlertId) as count by hostIp 
| eval check=case(isnull(hostIp),1) | search check=0 | sendemail to=farrukh@example.com from=splunk@example.com subject="SQL Injection" server=smtp.example.com

The condition i am checking is 15 minute time for the search and checking if the hostIp is not null. It should not send an email if the check=0 but its keep sending an email.

Thank you.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

sendemail is not conditional. It will send email regardless of the number of results. To send mail only if there are results, remove the sendemail command and choose the "Send email" alert action.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

sendemail is not conditional. It will send email regardless of the number of results. To send mail only if there are results, remove the sendemail command and choose the "Send email" alert action.

---
If this reply helps you, Karma would be appreciated.
0 Karma

farrukhahmed
Explorer

Hello richgalloway,

Before this question was moderated, i figured out about alert 🙂

Thanks for your answer.

0 Karma

farrukhahmed
Explorer

I have done this and following is my alert i am trying to run job every 15 minutes so that if there is any SQL Injection happen it will triggered an email as mentioned in below image.

https://ibb.co/BjfXNL8
https://ibb.co/mTVtwFj

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...