Re: Newly created Sourcetype should alert in Splun...

anandhalagarasa · ‎10-22-2019

Hi Team,

I have a requirement that to ingest a particular logs from a client machine so I have created a custom app with inputs in place. i.e. with source & sourcetype. Here sourcetype i have created newly as abcd. And I have pushed the custom app from Deployment server which in turn its getting applied to indexers and the log has been ingested into Splunk Cloud.

My query is that for each and every sourcetype which we create newly should be reported to Security Operations team so that they will keep track of it.

For example if a new sourcetype has been created and deployed from our end then the same day or the consecutive day an email has to be triggered to Security Operations team.

So what would be the search query to fetch the data.

gcusello · ‎10-22-2019

Hi anandhalagarasan,
if you want a daily check you could schedule an alert running e.g. at 00.15 with a search like this one:

index=_internal earliest=-d@d latest=@d
| stats dc(date_mday) AS count_day max(date_mday) AS day BY sourcetype
| eval checkdate=if(day=tonumber(strftime(now(),"%d"))-1,"OK","NOK")
| where checkdate="OK" AND count_day>1

Remember that it isn't a good idea to have too many sourcetypes and that all the knowledhe object (as fields, tags, eventtypes, etc...) are related to sourcetype, so if you continuosly add new ones it's more difficolut to use them.

Ciao.
Giuseppe

Newly created Sourcetype should alert in Splunk Alerts

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?