Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise logs monitoring: How do you create those alerts and assigned them to someone to be follow up on?

tonitoagu
Explorer
‎01-26-2023 09:37 AM

I am wondering if anyone has this issue or use case. We are trying to see if we can have a system that would alert us on when a host has stopped sending logs based on the specific index it belongs. For example: We woudl like to know if a firewall has stopped sending logs within 30min and also lets say if a host for another less continuos feed has stopped, exmaple: host A of index=trickle_feed has not send in 4 hours, etc.

We are good with the logic on those searches, what i am really looking for is direction on how you create those alerts and assigned them to someone to be follow up on? what other tools you might be using for the triaging and tracking of the alert/incident/ticket/work while the feed for the Quiet host is being restored? 

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-26-2023 11:07 AM

There are already apps for that.

For example - https://splunkbase.splunk.com/app/4621

Reply

tonitoagu
Explorer
‎02-02-2023 06:03 AM

I will definitely take a look at this!

Thanks so much!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2023 08:33 AM

With this TrackMe app you could “outsource” configuration of alerts to responsible groups from splunk admins 😉

0 Karma
Reply

tonitoagu
Explorer
‎01-26-2023 10:41 AM

@gcusello thank you so much. I think i got the searches working for alerting what devices have stopped. 

My problem at this time is figuring out a way to act on those alerts. so on your example, do you konw how you would assign those hosts in the .csv to be looked and track while they are resolved? 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-26-2023 10:44 AM

Hi @tonitoagu,

usually in this kind of projects, it's a best practice to define a monitoring perimeter before starting the project.

But anyway, you can run a search on e.g. the last 30 days and extract all the host of your network and then store this list in the lookup.

Ciao.

Giuseppe

Reply

tonitoagu
Explorer
‎01-27-2023 04:55 AM

Grazie Giusepppe.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-27-2023 05:00 AM

Hi @tonitoagu ,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-26-2023 10:18 AM

HI @tonitoagu,

let me understand:you want to be alerted when events from one host stop to arrive, is this correct?

if this is your need, you an find many examples in the community (also by me!).

Anyway, you have to list all the hosts to monitor in a lookup (called e.g. perimeter.csv) containing at least one column (host) and then run a search like the following:

| metasearch index=*
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...