Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- How to raise an alert for dbquery in splunk?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to raise an alert for dbquery in splunk?
boney_s
Explorer
10-30-2014
03:55 AM
I need to raise an E-mail alert for a particular sql command query in Splunk 6.1.0. i. e if the number of rows is greater than 9. I have created an alert for dbquery (|dbquery "SystemLog" "Select * from Central_Log',->Save_As->Alert). i have created a custom trigger with condition "search count >9".
But now i am getting the error as dbquery command is not supported in a real-time search. How can i achieve this in splunk. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
linu1988
Champion
10-30-2014
05:12 AM
Hello Boney,
If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well.
|dbquery "SystemLog" "Select * from Central_Log"|where Field > 5
similarly if you want to set alert for unsuccesful attempts then mention the condition as below.
sourcetype=mysource "Unsuccessful"|stats count|where count=5
More Reference:
http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions
Thanks,
L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
boney_s
Explorer
10-30-2014
10:39 PM
Thank you my friend, scheduled alert worked. Two more queries:
1. No email is send for the alert but alerts are shown in triggered alert page . Do i need to configure it in splunk system setting (Settings->System Settings->Email Setting ). Could you please specify the parameters that need to be configured.
2. What is the cron expression for raising alert every 1 min(Scheduled alert). I have given :
Earliest : -5m
Latest: now
cron Expres: */5 * * * *
But only two alerts are shown at 18:32 IST and 18:37 IST
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
linu1988
Champion
10-31-2014
03:59 AM
- * * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
boney_s
Explorer
10-30-2014
04:32 AM
Guys i also wrote one application which logs unsuccessful logins into mysql database, which I have integrated into splunk using splunkDbconnector. Is there any way to raise an alert specifically E-mail, if number of unsuccessful attempts is greater than 5.
Also please provide me any useful links. I am newbie to this field.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
