Good Afternoon,
We are attempting to make Splunk fit into our compliance needs. The auditors want us to check for certain things on the network (user locked out, user added to security group, etc) and verify each day that we checked.
We were doing this with Alert Logic previously. Basically, Alert Logic had an internal "cases" interface where each search would put a "case" in the list to be reviewed. If it found something, one employee notes the reason after investigation and another employee closes it. Auditors want "dual control" to prevent one admin from falsifying things I guess.
The part where it gets tricky is when a search finds nothing. The auditors would like us to confirm that we checked even those "no findings" reports. Alert Logic did this out of the box (before they started changing their product to something wholly unrecognizable to us) and Splunk seemed to do it but I'm finding it's tougher than first thought.
The "cases" interface could be had via the Alert Manager app or InfoSec app, neither of which are functioning in my cloud trial. I've resorted to an e-mail to a free Jira cloud instance to get these cases. Accepting that, I need to figure out how to get an alert to trigger both for no items found and for items found. The trigger options force me to choose.
Any help is appreciated. I've been working with Splunk support on this and they think some of the apps not working are due to the trial but they can't seem to get the alert triggering going. I'm sure there is a phrase I can stick in "custom" that'll work. I just don't know what. Thank you in advance.
As you've discovered, this is no alert trigger for "zero or more results". You'll have to modify the query to always return results and have the alert trigger when items are found.
Use the appendpipe command to ensure the query always something. Share the existing query and we can provide specifics.
Thank you for the response! The queries are all pretty basic for the most part, one would be:
index="wineventlog" EventID=4740
My current workaround is two alerts, one for zero results, one for more than zero. Do you think I could do it in one?