Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise logs monitoring: How do you create those alerts and assigned them to someone to be follow up on?

tonitoagu
Explorer
‎01-26-2023 09:37 AM

I am wondering if anyone has this issue or use case. We are trying to see if we can have a system that would alert us on when a host has stopped sending logs based on the specific index it belongs. For example: We woudl like to know if a firewall has stopped sending logs within 30min and also lets say if a host for another less continuos feed has stopped, exmaple: host A of index=trickle_feed has not send in 4 hours, etc.

We are good with the logic on those searches, what i am really looking for is direction on how you create those alerts and assigned them to someone to be follow up on? what other tools you might be using for the triaging and tracking of the alert/incident/ticket/work while the feed for the Quiet host is being restored? 

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-26-2023 11:07 AM

There are already apps for that.

For example - https://splunkbase.splunk.com/app/4621

Reply

tonitoagu
Explorer
‎02-02-2023 06:03 AM

I will definitely take a look at this!

Thanks so much!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2023 08:33 AM

With this TrackMe app you could “outsource” configuration of alerts to responsible groups from splunk admins 😉

0 Karma
Reply

tonitoagu
Explorer
‎01-26-2023 10:41 AM

@gcusello thank you so much. I think i got the searches working for alerting what devices have stopped. 

My problem at this time is figuring out a way to act on those alerts. so on your example, do you konw how you would assign those hosts in the .csv to be looked and track while they are resolved? 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-26-2023 10:44 AM

Hi @tonitoagu,

usually in this kind of projects, it's a best practice to define a monitoring perimeter before starting the project.

But anyway, you can run a search on e.g. the last 30 days and extract all the host of your network and then store this list in the lookup.

Ciao.

Giuseppe

Reply

tonitoagu
Explorer
‎01-27-2023 04:55 AM

Grazie Giusepppe.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-27-2023 05:00 AM

Hi @tonitoagu ,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-26-2023 10:18 AM

HI @tonitoagu,

let me understand:you want to be alerted when events from one host stop to arrive, is this correct?

if this is your need, you an find many examples in the community (also by me!).

Anyway, you have to list all the hosts to monitor in a lookup (called e.g. perimeter.csv) containing at least one column (host) and then run a search like the following:

| metasearch index=*
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top