- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to raise an alert for dbquery in splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to raise an alert for dbquery in splunk?
I need to raise an E-mail alert for a particular sql command query in Splunk 6.1.0. i. e if the number of rows is greater than 9. I have created an alert for dbquery (|dbquery "SystemLog" "Select * from Central_Log',->Save_As->Alert). i have created a custom trigger with condition "search count >9".
But now i am getting the error as dbquery command is not supported in a real-time search. How can i achieve this in splunk. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Boney,
If realtime doesn't support then use the schedule alert like every minute. For alerting provide a condition as well.
|dbquery "SystemLog" "Select * from Central_Log"|where Field > 5
similarly if you want to set alert for unsuccesful attempts then mention the condition as below.
sourcetype=mysource "Unsuccessful"|stats count|where count=5
More Reference:
http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Setupalertactions
Thanks,
L
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you my friend, scheduled alert worked. Two more queries:
1. No email is send for the alert but alerts are shown in triggered alert page . Do i need to configure it in splunk system setting (Settings->System Settings->Email Setting ). Could you please specify the parameters that need to be configured.
2. What is the cron expression for raising alert every 1 min(Scheduled alert). I have given :
Earliest : -5m
Latest: now
cron Expres: */5 * * * *
But only two alerts are shown at 18:32 IST and 18:37 IST
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- * * * * for every minute. Checking is the throttling is enabled. Emails i am not sure why it will not be triggered, is the mail client configured? Check in system Setting for email server and check the sendmail command manually if the email works. You can find all the info in splunk docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Guys i also wrote one application which logs unsuccessful logins into mysql database, which I have integrated into splunk using splunkDbconnector. Is there any way to raise an alert specifically E-mail, if number of unsuccessful attempts is greater than 5.
Also please provide me any useful links. I am newbie to this field.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
