Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to achieve event logs report if threshold match?

cbiraris
Path Finder
‎01-05-2023 05:53 AM

Hi Team,

I am looking for the help for the Event logs report if threshold match.

I tried both way with creating a report and alert. but it either send me logs using |table _time, _raw  method or sending count using |stats count | where count >0

I need to schedule last 24hrs data  report like, only if there is a event  at 00:00 AM.

Please guide me 

Thank you

Labels (1)
Labels
0 Karma
Reply

cbiraris
Path Finder
‎01-05-2023 07:29 AM

I am trying to create scheduled report or alert whichever useful to send CSV file containing search event logs.

Suppose,

Index=ABC sourcetype=XYZ "failed to run" 

if there "failed to run" event present more then "0" count in last 24hrs alert or report should trigger at 12AM.

and alert or scheduled should have CSV file attached in mail notification containing search event log.

0 Karma
Reply

PaulPanther
Motivator
‎01-05-2023 07:41 AM

Based on Alert examples - Splunk Documentation do it like:

  1. From the Search Page, create the following search.
    Index=ABC sourcetype=XYZ "failed to run"  earliest=-24h latest=now
  2. Select Save As > Alert.
  3. Specify the following values for the fields in the Save As Alert dialog box.
    • Title: Errors in the last 24 hours
    • Alert type: Scheduled
    • Time Range: Run every day
    • Schedule: At 00:00
    • Trigger condition: Number of Results
    • Trigger when number of results: is greater than 0.
  4. Select the Send Email alert action.
  5. Set the following email settings, using tokens in the Subject and Message fields.
    • To: email recipient
    • Priority: Normal
    • Subject: Too many errors alert: $name$
    • Message: There were $job.resultCount$ errors reported on $trigger_date$.
    • Include: Link to Alert, Attach CSV, Inline... and Link to Results
Tags (1)
0 Karma
Reply

PaulPanther
Motivator
‎01-05-2023 06:42 AM

Hello cbiaris,

what is your exact problem and which goal you wanna reach?

Would be great if you can provide some more information.

My current assumption is that you wanna run a scheduled search only in that case if there are 1 or more events at a specific time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...