×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
calejohn5
Explorer
Member since: ‎09-30-2021
‎10-15-2021
Community Statistics
Posts 10
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎09-30-2021
Activity Feed
View All

Re: Custom alert will not work

by in Alerting
‎10-11-2021 11:19 AM
‎10-11-2021 11:19 AM
For my other alerts that worked, for some reason this one refuses to set off.  It's like it doesn't recognize the results as results. I'm using an email alert to my email and checked my triggered alerts page, I did not see it on there. ... View more

Custom alert will not work

by in Alerting
‎10-11-2021 09:15 AM
‎10-11-2021 09:15 AM
Hello, I have struggled with alerting a specific search I've made.   EVENT_TYPE="Login" LOGIN_STATUS=* [search EVENT_TYPE="Login" LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" | stats count by USER_ID | table USER_ID] | stats latest(LOGIN_STATUS) AS LOGIN_STATUS latest(USER_NAME) AS USER_NAME latest(UserAccountId) AS "Account Id" latest(USER_TYPE) AS "User Type" latest(TIMESTAMP) AS "Time stamp" by USER_ID | where LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" Which results in this I have tried number of results > 0 search USER_ID> 0 I tried using field tokens such as $RESULT.userid$ > 0  Does anyone know how I can edit my search or trigger to actually trigger when I receive results? ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-07-2021 07:27 AM
‎10-07-2021 07:27 AM
I ran out of time to properly test "rise by 1".  I couldn't even get $result.USER_ID$ in the alert message to work. I ended up just triggering for each result and suppressing the alert for 24 hours.  If anything I'll have to come back in the future and learn more/work on this.  I appreciate the help! ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-06-2021 09:36 AM
‎10-06-2021 09:36 AM
Ok that makes sense and I tried researching why my data was taking so long to enter Splunk from Salesforce but gave up.  It's not a big deal as I just need to fix this one alert anyway. I was thinking - If I chose number of results rises by '1' for the trigger condition, wouldn't that send out an individual alert every time a new event (user lockout) occurs, and never again for the same result since the count would remain the same? I'm testing that out, but as I said earlier it may take awhile.   ... View more

Re: Data is not fetching from salesforce to splunk...

by in All Apps and Add-ons
‎10-05-2021 09:18 AM
‎10-05-2021 09:18 AM
This happened to me as well.  It could be that your Splunk Integration User had "Manage Users" removed from it's permissions, which is needed to view the LoginHistory object. Our workaround was to use the User object and LoginEvent to retrieve the same type of data. ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-04-2021 11:29 AM
‎10-04-2021 11:29 AM
When I hit "Open in Search" for the alert it brings me to the search, except it's timeframe is "Last 1 hour" while the actual search I built this alert from is based off "All Time". The "Last 1 hour" timeframe doesn't yield any results whereas the "All Time" search yields a result, which would trigger the alert. So maybe this search already limits this return result to one time...   But in regards to my last request - Whenever I perform an event in Salesforce, it takes about 8 hours for that event to get added into Splunk.  This makes testing extremely difficult. ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-04-2021 08:32 AM
‎10-04-2021 08:32 AM
It seemed to not send out any alerts... Is there any way to index data from another instance faster?  The data doesn't seem updated when I search for event I know recently happened.  This would help with testing 10-fold. ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-01-2021 08:50 AM
‎10-01-2021 08:50 AM
Ok I turned on For Each Result and Suppressing when USER_ID= $result.USER_ID$.  I just need to wait for this query to run again and get indexed and I'll see if that works.  ... View more

Re: Prevent repeated alerts on recurring results

by in Alerting
‎10-01-2021 07:05 AM
‎10-01-2021 07:05 AM
When I add Throttling does that suppress alerts ONLY for that user?  Because I want it to continue to alert for different users getting locked out while that initial locked user is locked out ... View more

Prevent repeated alerts on recurring results

by in Alerting
‎09-30-2021 11:35 AM
‎09-30-2021 11:35 AM
Hello all, I've recently been tasked with alerting our support email when a user in Salesforce is locked out.  The alert triggers when a User's LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT".  However, this alert keeps getting triggered if an admin doesn't unlock the User account right away.  Is there any way to limit the alert being sent out if the Usernames are identical as the previous alert? index="salesforce" EVENT_TYPE="Login" LOGIN_STATUS=* [search EVENT_TYPE="Login" LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" | stats count by USER_ID | table USER_ID] | stats latest(LOGIN_STATUS) AS LOGIN_STATUS latest(USER_NAME) AS USER_NAME latest(SOURCE_IP) AS SOURCE_IP latest(UserAccountId) AS "Account Id" latest(USER_TYPE) AS "User Type" latest(TIMESTAMP) AS "Time stamp" by USER_ID | where LOGIN_STATUS="LOGIN_ERROR_PASSWORD_LOCKOUT" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-15-2021 12:31 AM
Karma given to
View All