Alerting

How to raise an alert for dbquery in splunk?

boney_s
Explorer

I need to raise an E-mail alert for a particular sql command query in Splunk 6.1.0. i. e if the number of rows is greater than 9. I have created an alert for dbquery (|dbquery "SystemLog" "Select * from Central_Log',->Save_As->Alert). i have created a custom trigger with condition "search count >9".
But now i am getting the error as dbquery command is not supported in a real-time search. How can i achieve this in splunk. Thanks in advance.

Tags (1)
0 Karma

linu1988
Champion

Hello Boney,
If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well.

|dbquery "SystemLog" "Select * from Central_Log"|where Field > 5

similarly if you want to set alert for unsuccesful attempts then mention the condition as below.

sourcetype=mysource "Unsuccessful"|stats count|where count=5

More Reference:
http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions

Thanks,
L

boney_s
Explorer

Thank you my friend, scheduled alert worked. Two more queries:
1. No email is send for the alert but alerts are shown in triggered alert page . Do i need to configure it in splunk system setting (Settings->System Settings->Email Setting ). Could you please specify the parameters that need to be configured.
2. What is the cron expression for raising alert every 1 min(Scheduled alert). I have given :
Earliest : -5m
Latest: now
cron Expres: */5 * * * *
But only two alerts are shown at 18:32 IST and 18:37 IST

0 Karma

linu1988
Champion
  • * * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs.
0 Karma

boney_s
Explorer

Guys i also wrote one application which logs unsuccessful logins into mysql database, which I have integrated into splunk using splunkDbconnector. Is there any way to raise an alert specifically E-mail, if number of unsuccessful attempts is greater than 5.

Also please provide me any useful links. I am newbie to this field.

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...