×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
vdhiman63
Engager
Member since: ‎02-28-2021
‎07-28-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎02-28-2021
Activity Feed
Topics I've Started
View All

Re: Missing results in Splunk Alert Email

by in Alerting
‎10-29-2021 06:52 AM
‎10-29-2021 06:52 AM
Thank you iam trying to check the logs. How can i verify the number of results in this message :  event_message user=" ", app="search", savedsearch_name="Potential Brute Force Attack - 4 or more login attempts in 5 mins", status=delegated_remote_completion, scheduled_time=1635418800, member_guid=246-1311-453B-B4C8-727D1A, member_label="SH005", member_URI="https://10....", sid=scheduler__search__RMD57367c0d1d64e89d1_at_1635418800_55813_7EA1D246-1311-453B-B4C8-727D1A477CE1, success=1 ... View more

Missing results in Splunk Alert Email

by in Alerting
‎10-28-2021 07:19 AM
‎10-28-2021 07:19 AM
Hello Splunk Community ! I have an alert setup to report failed login attempts by a user > 4 times in 5 minutes. Alert query : index=win_os sourcetype="Security" EventCode=4625 | bin span=5m _time| stats count dc(user) by _time, user, Logon_Type,dest, src, Failure_Reason | where count > 3 | sort user | table _time, user, count, Logon_Type,dest, src, Failure_Reason Alert settings: Alert Type: Scheduled. Hourly, at 0 minutes past the hour. Trigger Condition: Number of Results is > 0 Issue : the last time this alert ran, i got results only from 3 PM attempts. the alert PDF did not report the results from 2:55 PM. Actual Query result:   Alert PDF that came in email: Any idea why the complete results were not shown from 2:55 PM when the alert triggered at the hour ?  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-28-2025 10:39 AM
Karma given to
View All