Monitoring Splunk

How to achieve event logs report if threshold match?

cbiraris
Path Finder

Hi Team,

I am looking for the help for the Event logs report if threshold match.

I tried both way with creating a report and alert. but it either send me logs using |table _time, _raw  method or sending count using |stats count | where count >0

I need to schedule last 24hrs data  report like, only if there is a event  at 00:00 AM.

Please guide me 

Thank you

Labels (1)
0 Karma

cbiraris
Path Finder

I am trying to create scheduled report or alert whichever useful to send CSV file containing search event logs.

Suppose,

Index=ABC sourcetype=XYZ "failed to run" 

if there "failed to run" event present more then "0" count in last 24hrs alert or report should trigger at 12AM.

and alert or scheduled should have CSV file attached in mail notification containing search event log.

0 Karma

PaulPanther
Builder

Based on Alert examples - Splunk Documentation do it like:

  1. From the Search Page, create the following search.
    Index=ABC sourcetype=XYZ "failed to run"  earliest=-24h latest=now
  2. Select Save As > Alert.
  3. Specify the following values for the fields in the Save As Alert dialog box.
    • Title: Errors in the last 24 hours
    • Alert type: Scheduled
    • Time Range: Run every day
    • Schedule: At 00:00
    • Trigger condition: Number of Results
    • Trigger when number of results: is greater than 0.
  4. Select the Send Email alert action.
  5. Set the following email settings, using tokens in the Subject and Message fields.
    • To: email recipient
    • Priority: Normal
    • Subject: Too many errors alert: $name$
    • Message: There were $job.resultCount$ errors reported on $trigger_date$.
    • Include: Link to Alert, Attach CSV, Inline... and Link to Results
Tags (1)
0 Karma

PaulPanther
Builder

Hello cbiaris,

what is your exact problem and which goal you wanna reach?

Would be great if you can provide some more information.

My current assumption is that you wanna run a scheduled search only in that case if there are 1 or more events at a specific time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...