- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: Need help with my alert (needs more logic)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help with my alert (needs more logic)
Hello All,
I have a situation where I need to figure out a creative solution before sending out a specific alert but having a hard time.
Problem: Security needs to know when Macfee mail logs "status" shows as "Emailed Deferred". Currently they get the alert based on the cron schedule set for the alert and it works, However it can appear as a false positive as sometimes they'll get this alert, login to the email system just to see that the status is no longer deferred (it sent out).
How do I bake logic into this alert where splunk won't send out an alert unless the status has been that way over x amount of time?
It's like the logic would need to look at each email, check the time stamp of each event, if the status switches to Email deferred monitor that email/host for x amount of time incase there's an email sent event within your set time period. So the idea is, if that if an email is Deferred perhaps monitor that email (by subject) for 10 minutes. If an "email sent" event is found for that same subject within 10 minutes do not send alert. But if no "email sent" event is found then send the alert as normal after that 10 minutes have expired.
Index=mcafee sourcetype=Meg status="Emailed Deferred"| stats values(_time) as Time values(sender) as Sender values(dest) as Destination values(status) as Status by host|sort-Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this can help:
index=mcafee sourcetype=Meg earliest=-10m latest=now() |bucket span=10m _time | streamstats current=t time_window=10m window=1 last(status) as prev_status | stats values(_time) as Time values(sender) as Sender values(dest) as Destination values(status) as Status values(prev_status) as prev_status by host|sort-Time | search status="Emailed Deferred" AND status==prev_status
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's amazing how you can make it without a log.
before |streamstats ...
| reverse is need, isn't it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haha thanks brother. That's very kind of you, especially when your SPL skills are far better than mine, hands down 🙂
I believe reverse won't be required here, because last in streamstats would pick the oldest value from the bucket, which is 10 mins old, which I think the author is looking for. I can certainly be wrong though, so reverse can be used to fix it, if author shall choose to do so.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
