Alerting

Adding a list (table) to the email body from a scheduled search alert.

smithjnick
Path Finder

Hi All

I have a basic alert setup to trigger whenever i have 3 or more failed sql logins - as follows:

       sourcetype="WinEventLog:Application "EventCode=18456" | stats count by sql_login_name
       | search count > 2 

An email is then sent out alerting the db admins about the event.

I have played around with the new alert config using the token feature in order to draw in other variables related to the issues but to no avail.

is it possible to drop the results of the following stats command into the email body or is there another approach i could use? The end game is to have a table pushed out inside the email listing the criteria below as well as the triggered event.

       | stats list(sql_login_name) by SourceName, login_source host

cheers

1 Solution

smithjnick
Path Finder

I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".

Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?

View solution in original post

splunker12er
Motivator

You might need to edit the sendemail.py file under your app/bin directory to accommodate your search results.

using stats command in the savedsearch for alerting sometimes will ignore the results...

search for the below stanza in your sendemail.py file... and modify this file..

def generateHTMLResults(results):
0 Karma

smithjnick
Path Finder

I have figured this out by utilising the command: "stats count, list....." whereas previously i had "stats count" followed by a pipe to "stats list".

Just out of interest - i am trying to get my head around the difference between Table and List and best practice on usage. Both appear to have a similar output?

smithjnick
Path Finder

Righto ppablo - i dont yet fully understand Splunk answers etiquette.

ppablo
Retired

Hi @smithjnick

Please be sure to accept your answer so others with similar issues/questions will be more likely to refer to this post for help. Thanks!

Patrick

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Have something like this in your savedsearches.conf to send the results inline in the email.

[YourSavedSearchName]
action.email = 1
action.email.to =  Your@email.list
action.email.cc =  Your@email.list
action.email.subject = YourSubject
action.email.format = html
action.email.sendresults = 1
action.email.inline = 1
action.email.ttl = 10
...Other properties
....
....
0 Karma

smithjnick
Path Finder

Thanks for the response somesoni2 but i already figured that piece out. My query was in relation to how the list was presneted within the email.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...