Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are the alerts not triggered any more?

Ammar
Explorer
‎08-30-2023 05:17 AM

Hi Guys,

am trying to configure Splunk to send me alerts through mobile when the requests against my web server are more than a specified value

i ran the search and it shows me the requests number and source IP but 

i created an alert but this alert is not triggered at all(i viewed the triggered alerts menu and its empty) scheduled to one hour, number of results greater than 0 and selected actions Splunk secure gateway 

my goal is send these events to my mobile and to SOAR when they greater than a value and configure playbook to automatically block the src_ip as its  mostly performing a DoS attack

anybody can help me ?

host=192.168.1.1 "DST=192.168.1.174"|stats count(SRC) AS Requests BY SRC
|sort - Requests | where Requests>50

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 03:40 AM

Hi

can you show how your Alert has configured.

You could also look from internal logs if that alert is run and if it raised or not. 

Have you test that your email works from splunk? Easiest way to check it is add 

....
| sendemail ....

after your query.

 

One comment for your SPL. It's better 1st select rows and then sort, that way it's more efficient.

...
| where Requests > 50
| sort 0 - Requests

Is better way. Also if there could be huge amount of those then you need 0 with sort to sort all not only XXX events.

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-30-2023 03:36 PM

Hi @Ammar,

let me understand: is your issue that the search doesn't find any result or that the search finds results but you don't have any action?

in the first  case, you have to debug your search:

I see that you didn't used the index definition, if the index to use isn't in the default search path, you cannot find anything:

index=your_index host=192.168.1.1 "DST=192.168.1.174"
| stats count AS Requests BY SRC
| sort -Requests 
| where Requests>50

Then are you sure that in your logs you have a scring exaclty "DST=192.168.1.174"? this isn't a field definition used for the search: if you have the field DST (that usually is in lowercase!) you can use it without quotes.

in the second case, you have to check the response actions configuration, which one did you configured?

To be listed in the triggered alerts or to receive an email you have to configure this actions in the response actions, it isn't automatic by default.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Ammar
Explorer
‎08-31-2023 08:47 AM

thanks for the reply 

the search finds results  accurately 

but when created alert with send to mobile , the alert will never be triggered despite when running the search query i get results

BTW the alert is configured on schedule not real-time

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 03:40 AM

Hi

can you show how your Alert has configured.

You could also look from internal logs if that alert is run and if it raised or not. 

Have you test that your email works from splunk? Easiest way to check it is add 

....
| sendemail ....

after your query.

 

One comment for your SPL. It's better 1st select rows and then sort, that way it's more efficient.

...
| where Requests > 50
| sort 0 - Requests

Is better way. Also if there could be huge amount of those then you need 0 with sort to sort all not only XXX events.

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

Ammar
Explorer
‎09-01-2023 08:53 AM

hey,

thanks for the reply 

i figured out that what was causing this is the mobile action in the alert

when i configured the alert to send action via Email it worked!

i don't know why sending push notification to mobile is not working although its configured on my splunk mobile app correctly and on Splunk Secure Gateway!

thank you for mentioning the email action to me 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-04-2023 11:24 PM

Hi @Ammar ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...