- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Adding a list (table) to the email body from a sch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
I have a basic alert setup to trigger whenever i have 3 or more failed sql logins - as follows:
sourcetype="WinEventLog:Application "EventCode=18456" | stats count by sql_login_name
| search count > 2
An email is then sent out alerting the db admins about the event.
I have played around with the new alert config using the token feature in order to draw in other variables related to the issues but to no avail.
is it possible to drop the results of the following stats command into the email body or is there another approach i could use? The end game is to have a table pushed out inside the email listing the criteria below as well as the triggered event.
| stats list(sql_login_name) by SourceName, login_source host
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".
Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might need to edit the sendemail.py file under your app/bin directory to accommodate your search results.
using stats command in the savedsearch for alerting sometimes will ignore the results...
search for the below stanza in your sendemail.py file... and modify this file..
def generateHTMLResults(results):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".
Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Righto ppablo - i dont yet fully understand Splunk answers etiquette.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smithjnick
Please be sure to accept your answer so others with similar issues/questions will be more likely to refer to this post for help. Thanks!
Patrick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have something like this in your savedsearches.conf to send the results inline in the email.
[YourSavedSearchName]
action.email = 1
action.email.to = Your@email.list
action.email.cc = Your@email.list
action.email.subject = YourSubject
action.email.format = html
action.email.sendresults = 1
action.email.inline = 1
action.email.ttl = 10
...Other properties
....
....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response somesoni2 but i already figured that piece out. My query was in relation to how the list was presneted within the email.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
