Splunk Enterprise Security

How to create notable events alert if any of correlation searches get skipped?

manojannabathin
Loves-to-Learn Everything

How can i create notable events alert if any of correlation searches is getting skipped?

Labels (1)
0 Karma

shivanshu1593
Builder

Try the following:

index=_internal sourcetype=scheduler status=skipped
| stats values(reason) as reason, count by savedsearch_name


When you run the search, let it execute, then click on "Save As" on the top right hand corner, then click on save as alert, fill in the details in the dialogue box which is pretty straight forward (If you want all results in one email, select in the dialogue box Once, if you want an individual email for each search, then select for each results) and then select the alert action as per your requirement. Ex: Send email alert action to send an email to you and others.

Hope this helps.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

richgalloway
SplunkTrust
SplunkTrust

This is good, but it will return all skipped searches, not just correlation searches.  Since the Scheduler log does not distinguish CSs from ordinary scheduled searches, we need to filter by CS name.  We can get a list of all CS names using REST.

index=_internal sourcetype=scheduler status=skipped host=<<my SH>>
[ | rest /services/saved/searches splunk_server=local 
  | search is_scheduled=1 disabled=0 action.correlationsearch.enabled=1 
  | fields title 
  | rename title as savedsearch_name 
  | format ]
---
If this reply helps you, Karma would be appreciated.

manojannabathin
Loves-to-Learn Everything

This query is not working i cant see any results 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you have access to the _internal index?  If not, you'll get no results.  Did you replace the placeholder following "host="?  Is the time range large enough to find skipped searches?

Have you tried running the subsearch by itself to verify it returns results?

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Monitoring Console has a search for skipped searches.  See Search->Scheduler Activity.  Use that search as a model to create a CS that detects skipped searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojannabathin
Loves-to-Learn Everything
  • I wanna create a alert for when the searches or alerts are skipped for correlation searches
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...