Other Usage

Why are the alerts not triggered any more?

Ammar
Explorer

Hi Guys,

am trying to configure Splunk to send me alerts through mobile when the requests against my web server are more than a specified value

i ran the search and it shows me the requests number and source IP but 

i created an alert but this alert is not triggered at all(i viewed the triggered alerts menu and its empty) scheduled to one hour, number of results greater than 0 and selected actions Splunk secure gateway 

my goal is send these events to my mobile and to SOAR when they greater than a value and configure playbook to automatically block the src_ip as its  mostly performing a DoS attack

anybody can help me ?

host=192.168.1.1 "DST=192.168.1.174"|stats count(SRC) AS Requests BY SRC
|sort - Requests | where Requests>50

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

can you show how your Alert has configured.

You could also look from internal logs if that alert is run and if it raised or not. 

Have you test that your email works from splunk? Easiest way to check it is add 

....
| sendemail ....

after your query.

 

One comment for your SPL. It's better 1st select rows and then sort, that way it's more efficient.

...
| where Requests > 50
| sort 0 - Requests

Is better way. Also if there could be huge amount of those then you need 0 with sort to sort all not only XXX events.

r. Ismo 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ammar,

let me understand: is your issue that the search doesn't find any result or that the search finds results but you don't have any action?

in the first  case, you have to debug your search:

I see that you didn't used the index definition, if the index to use isn't in the default search path, you cannot find anything:

index=your_index host=192.168.1.1 "DST=192.168.1.174"
| stats count AS Requests BY SRC
| sort -Requests 
| where Requests>50

Then are you sure that in your logs you have a scring exaclty "DST=192.168.1.174"? this isn't a field definition used for the search: if you have the field DST (that usually is in lowercase!) you can use it without quotes.

in the second case, you have to check the response actions configuration, which one did you configured?

To be listed in the triggered alerts or to receive an email you have to configure this actions in the response actions, it isn't automatic by default.

Ciao.

Giuseppe

0 Karma

Ammar
Explorer

thanks for the reply 

the search finds results  accurately 

but when created alert with send to mobile , the alert will never be triggered despite when running the search query i get results

BTW the alert is configured on schedule not real-time

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you show how your Alert has configured.

You could also look from internal logs if that alert is run and if it raised or not. 

Have you test that your email works from splunk? Easiest way to check it is add 

....
| sendemail ....

after your query.

 

One comment for your SPL. It's better 1st select rows and then sort, that way it's more efficient.

...
| where Requests > 50
| sort 0 - Requests

Is better way. Also if there could be huge amount of those then you need 0 with sort to sort all not only XXX events.

r. Ismo 

0 Karma

Ammar
Explorer

hey,

thanks for the reply 

i figured out that what was causing this is the mobile action in the alert

when i configured the alert to send action via Email it worked!

i don't know why sending push notification to mobile is not working although its configured on my splunk mobile app correctly and on Splunk Secure Gateway!

thank you for mentioning the email action to me 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ammar ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...