Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create notable events alert if any of correlation searches get skipped?

manojannabathin
Loves-to-Learn Everything
‎01-24-2023 04:20 AM

How can i create notable events alert if any of correlation searches is getting skipped?

Labels (1)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎01-30-2023 09:03 AM

Try the following:

index=_internal sourcetype=scheduler status=skipped
| stats values(reason) as reason, count by savedsearch_name


When you run the search, let it execute, then click on "Save As" on the top right hand corner, then click on save as alert, fill in the details in the dialogue box which is pretty straight forward (If you want all results in one email, select in the dialogue box Once, if you want an individual email for each search, then select for each results) and then select the alert action as per your requirement. Ex: Send email alert action to send an email to you and others.

Hope this helps.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:42 AM

This is good, but it will return all skipped searches, not just correlation searches.  Since the Scheduler log does not distinguish CSs from ordinary scheduled searches, we need to filter by CS name.  We can get a list of all CS names using REST.

index=_internal sourcetype=scheduler status=skipped host=<<my SH>>
[ | rest /services/saved/searches splunk_server=local 
  | search is_scheduled=1 disabled=0 action.correlationsearch.enabled=1 
  | fields title 
  | rename title as savedsearch_name 
  | format ]
---
If this reply helps you, Karma would be appreciated.
Reply

manojannabathin
Loves-to-Learn Everything
‎02-03-2023 06:08 AM

This query is not working i cant see any results 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-03-2023 06:12 AM

Do you have access to the _internal index?  If not, you'll get no results.  Did you replace the placeholder following "host="?  Is the time range large enough to find skipped searches?

Have you tried running the subsearch by itself to verify it returns results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-24-2023 08:59 AM

The Monitoring Console has a search for skipped searches.  See Search->Scheduler Activity.  Use that search as a model to create a CS that detects skipped searches.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manojannabathin
Loves-to-Learn Everything
‎01-30-2023 07:38 AM
  • I wanna create a alert for when the searches or alerts are skipped for correlation searches
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...