Splunk Enterprise Security

Alert not triggering

miguelangelclem
Explorer

Hi all,

I have created an alert with this simple query:

index=foo host="bar" action=fail | stats count by user | search count>40 

It is scheduled every hour and the trigger setting is Number of Results greater than 0

I have tried adding table and fields commands but it still doesn't work

Why could this happen?

0 Karma
1 Solution

harishalipaka
Motivator
0 Karma

harishalipaka
Motivator
0 Karma

memarshall63
Communicator

What is your search time frame?
A user would have to fail 40 times within your search time frame to qualify as an alert.

Is that what you're expecting?

0 Karma

miguelangelclem
Explorer

Yes, I am expecting that.

I have found the problem and was the email configuration as @harishalipaka tell me. The alerts didn't appear because i had not set the action, and the email wasn't sending for a misconfiguration in server.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...