Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to raise an alert for dbquery in splunk?

boney_s
Explorer
‎10-30-2014 03:55 AM

I need to raise an E-mail alert for a particular sql command query in Splunk 6.1.0. i. e if the number of rows is greater than 9. I have created an alert for dbquery (|dbquery "SystemLog" "Select * from Central_Log',->Save_As->Alert). i have created a custom trigger with condition "search count >9".
But now i am getting the error as dbquery command is not supported in a real-time search. How can i achieve this in splunk. Thanks in advance.

Tags (1)
0 Karma
Reply

linu1988
Champion
‎10-30-2014 05:12 AM

Hello Boney,
If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well.

|dbquery "SystemLog" "Select * from Central_Log"|where Field > 5

similarly if you want to set alert for unsuccesful attempts then mention the condition as below.

sourcetype=mysource "Unsuccessful"|stats count|where count=5

More Reference:
http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions

Thanks,
L

Reply

boney_s
Explorer
‎10-30-2014 10:39 PM

Thank you my friend, scheduled alert worked. Two more queries:
1. No email is send for the alert but alerts are shown in triggered alert page . Do i need to configure it in splunk system setting (Settings->System Settings->Email Setting ). Could you please specify the parameters that need to be configured.
2. What is the cron expression for raising alert every 1 min(Scheduled alert). I have given :
Earliest : -5m
Latest: now
cron Expres: */5 * * * *
But only two alerts are shown at 18:32 IST and 18:37 IST

0 Karma
Reply

linu1988
Champion
‎10-31-2014 03:59 AM
  • * * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs.
0 Karma
Reply

boney_s
Explorer
‎10-30-2014 04:32 AM

Guys i also wrote one application which logs unsuccessful logins into mysql database, which I have integrated into splunk using splunkDbconnector. Is there any way to raise an alert specifically E-mail, if number of unsuccessful attempts is greater than 5.

Also please provide me any useful links. I am newbie to this field.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...