Archive

How to raise an alert for dbquery in splunk?

Explorer

I need to raise an E-mail alert for a particular sql command query in Splunk 6.1.0. i. e if the number of rows is greater than 9. I have created an alert for dbquery (|dbquery "SystemLog" "Select * from Central_Log',->Save_As->Alert). i have created a custom trigger with condition "search count >9".
But now i am getting the error as dbquery command is not supported in a real-time search. How can i achieve this in splunk. Thanks in advance.

Tags (1)
0 Karma

Champion

Hello Boney,
If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well.

|dbquery "SystemLog" "Select * from Central_Log"|where Field > 5

similarly if you want to set alert for unsuccesful attempts then mention the condition as below.

sourcetype=mysource "Unsuccessful"|stats count|where count=5

More Reference:
http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions

Thanks,
L

Explorer

Thank you my friend, scheduled alert worked. Two more queries:
1. No email is send for the alert but alerts are shown in triggered alert page . Do i need to configure it in splunk system setting (Settings->System Settings->Email Setting ). Could you please specify the parameters that need to be configured.
2. What is the cron expression for raising alert every 1 min(Scheduled alert). I have given :
Earliest : -5m
Latest: now
cron Expres: */5 * * * *
But only two alerts are shown at 18:32 IST and 18:37 IST

0 Karma

Champion
  • * * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs.
0 Karma

Explorer

Guys i also wrote one application which logs unsuccessful logins into mysql database, which I have integrated into splunk using splunkDbconnector. Is there any way to raise an alert specifically E-mail, if number of unsuccessful attempts is greater than 5.

Also please provide me any useful links. I am newbie to this field.

0 Karma