Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Newbie

markbudman
Engager
‎11-12-2020 12:22 PM

Hello,

I am a Splunk newbie and I am having issues using this software.

I have gone through documentation, but I still find it challenging.

For instance, how does one modify the code that generates an existing search? I have a search alert called "Test"

I can change what happens when the alert is triggered, but do not see how to modify the actually search code (for lack of a better word). I only see save As as Save is whited out.

The person who worked with Splunk prior to me created a dashboard that listed servers and the number of times each server appears within a specified period.

I would like to create an alert, where if a new server appears, an email alert is sent out if there are more than 100 lines (or logs generated for this particular server)  within an hour period for this new server.

Email configuration is fine and works as desired. Can someone guide me as to how to create such an alert? Is there a way to use the code that generates the Dashboard?

Any assistance would be greatly appreciated. I have only been working with Splunk for 2 days.

Thanks in advance!

Mark

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2020 12:37 PM

Mark,

Start by taking the free Splunk Fundamentals 1 course.  That will help to get you oriented.  See https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

Since you inherited your Splunk from someone else, give this document a read. https://docs.splunk.com/Documentation/Splunk/8.1.0/InheritedDeployment/Introduction

Beg your boss for proper Splunk Admin training.

Inability to make changes usually indicates a permission problem.  Are you signed in as an Admin or a user?

Is this an on-premises Splunk or Splunk Cloud?

---
If this reply helps you, Karma would be appreciated.
Reply

markbudman
Engager
‎11-12-2020 12:40 PM

Oops. I should have mentioned that this is on premise Enterprise Splunk, version 8.x

I sign is as Admin.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...