cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
sutom
Engager
Member since: 3 weeks ago
a week ago
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-23-2021
View All

Possible way to receive /consume Email in Splunk a...

by in Getting Data In
a week ago
a week ago
Hi All, I am searching App/Add-on to consume or receive the Email in Splunk cloud. Here is my use case - I have a 4-email server such as - Gmail, Yahoo, Hotmail, and outlook from where I use to receive the emails very frequently for some use cases. Here I want to onboard these emails in Splunk, OR consume/receive these emails in Splunk and interpret them as an event. I came across some of the APPs - https://splunkbase.splunk.com/app/3200 https://splunkbase.splunk.com/app/1739 But did not figure out which is best for my case. Can anyone please help here to identify the best one for my use-case or any other best possible to achieve this? Thanks. ... View more
Labels

Re: How to throttle or Suppress email alerts for m...

by in Alerting
3 weeks ago
3 weeks ago
Thanks @hoaxm3 it worked out, Now I am able to Suppression = src,uri_path,status with three field and getting result as expected. ... View more

How to throttle or Suppress email alerts for multi...

by in Alerting
3 weeks ago
3 weeks ago
Hello Everyone, I am new to this place and this is my first query, looking for your help. I have a use-case where I am trying to set an alert and make it dynamic based on the SLP query result, my recipient list is constant. but Alert is not working as I expected. I went through a lot of links and Splunk docs but still, I am in middle. My requirement is to send the alert for every row from the result based on status and src(host IP) but I am receiving an alert only for the first row from the result. Here is the query -   index=dummy uri_path | stats count(eval(status>399)) as Error_Count by uri_path, status,user_name, src | where Error_Count > 0   Result - uri_path status user_name src Error_count /user/new 400 XXX 123.21.321.12 1 /user/show 404 YYY 321.12.32.21 1 My Alert Subject -   $result.status$ Error while access API for User $result.user_name$   My Message -   $result.status$ Error got observed while access API $result.uri_path$ with user $result.user_name$ on host $result.src$. For more info please click on below link   My alert subject and message is getting update based on the result but I am constantly getting Alert for first row from result  - Splunk Alert: 400 Error while access API for User XXX. which is correct for first row Some configuration in alert - Alert type - Crone sachedule for 15 minutes, Cron Expression - */15 * * * * , Expire - 24 hour Trigger alert when - is greater then 0, Trigger - for each result. Throttle - yes Suppress results containing field value - src=$result.src$, Suppress triggering for - 20-minutes Still I am getting alert for first row from result,Not sure what I am missing here to get other rows alerts. If you can see I have suppressed based on src and in result SRC is different for both the rows. so based on this I should get both alerts but I am not. Can anyone please help me to understand this, I want to send the alert based on status and src, if any new status + src combination come in result then it should send the result wether it is on first row in result or sencond row in result.   Hope I am able to express my query.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
a week ago