All Apps and Add-ons

While scheduling an alert with Alert Manager, why is event 'A' working while other events with the same parameters aren't?

willadams
Contributor

I downloaded the application "Alert Manager" and have been able to successfully configure alerts for my searches. Strangely enough I have come across a weird issue that has left me scratching my head as I can't determine what is causing my issue. This comes down to a couple of alerts I am trying to alert on.

The alerts I will indicate here are

(A) Windows EventID 1102 ==> when a security log is cleared
(B) Windows EventID 4720 ==> a local user account is created
(C) Windows EventID 4732 ==> a local user account is added to a local group (such as Administrators)

I can perform my search in SPLUNK and I am using standard TA's for Windows and I can find these alerts without a problem. My searches are as follows:

For (A) ==> index=wineventlog sourcetype=wineventlog:security EventCode=1102. The relative time frame I am using is "Last 24 hours"
For (B) ==> index=wineventlog sourcetype=wineventlog:security EventCode=4720. The relative time frame I am using is "Last 24 hours"
For (C) ==> index=wineventlog sourcetype=wineventlog:security EventCode=4732. The relative time frame I am using is "Last 24 hours"

For (A) I saved the search as an Alert and configured it as follows

  • Enabled = Yes
  • Permissions = Shared in App
  • Alert-Type = real-time
  • Trigger Condition = Per-Result
  • Action = Alert Manager with a "title", impact=High, Urgency=High, Owner=unassigned

When an event occurs for alert (A) I immediately get an alert showing the Alert Manager tool. However if I configure an alert for alerts (B) and (C) with the same parameters this doesn't work. The log exists in the index but Alert Manager doesn't work. I am not sure why this is occurring.

Any insights?

0 Karma
1 Solution

willadams
Contributor

This issue appears to be a problem with a limitation on the number of concurrent real-time searches that could be run. Disabling other real time alerts allowed these schedules to be set for a new alert. Looks like the best method forward is to utilise periodical (scheduled time) alerts as opposed to immediate real-time alerts.

View solution in original post

0 Karma

willadams
Contributor

This issue appears to be a problem with a limitation on the number of concurrent real-time searches that could be run. Disabling other real time alerts allowed these schedules to be set for a new alert. Looks like the best method forward is to utilise periodical (scheduled time) alerts as opposed to immediate real-time alerts.

0 Karma

willadams
Contributor

When reviewing the alerts that have been created, we did notice that for the alert there is no job or task being created. For the ones that do work there is a job or task that is being created. The question is why do some alerts have this job associated but other jobs don't?

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...