Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Alert not triggering
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
miguelangelclem
Explorer
04-16-2020
03:12 AM
Hi all,
I have created an alert with this simple query:
index=foo host="bar" action=fail | stats count by user | search count>40
It is scheduled every hour and the trigger setting is Number of Results greater than 0
I have tried adding table and fields commands but it still doesn't work
Why could this happen?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
04-16-2020
11:50 PM
hi @miguelangelclemente
have a look into this
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
04-16-2020
11:50 PM
hi @miguelangelclemente
have a look into this
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
memarshall63
Communicator
04-16-2020
07:00 PM
What is your search time frame?
A user would have to fail 40 times within your search time frame to qualify as an alert.
Is that what you're expecting?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
miguelangelclem
Explorer
04-17-2020
12:23 AM
Yes, I am expecting that.
I have found the problem and was the email configuration as @harishalipaka tell me. The alerts didn't appear because i had not set the action, and the email wasn't sending for a misconfiguration in server.
Thanks!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
