How to send user login fail alerts to specific use...

10061987 · ‎09-29-2023

Hi there,

I want to send email who have 4625 over 20 login fail count. I have search there is no problem about search but i couldn't figure out to send emails to specific users who have 4625 login fail events. I know trigger action like send mail but i couldn't figure out how to send specific users. I don't want to send email to a group, i need send email to specific users who have 4625 events.

Any help would be appreciated!

meetmshah · ‎09-30-2023

Hello @10061987,

You can use fields from the first line of the results in the alert, e.g. $result.email$ assuming your search includes the email field. Then if you trigger the alert for each result (rather than just once), each result will execute the action with its corresponding row from the events.

Reference - https://community.splunk.com/t5/Alerting/Splunk-Alerts-How-to-use-email-address-from-variable/m-p/63....

Please accept the solution and hit Karma, if this helps!

PickleRick · ‎09-30-2023

There is also an app providing a more flexible email command than the builtin sendemail one. Don't remember the name but ir's easily findable on Splunkbase.

Having said that, remember that it's risky to use "external" data this way because you might end up sending emails (and a lot of them sometimes) to non-existent, or empty email addresses.

How to send user login fail alerts to specific users (who have 4625)?

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!