Alerting

How do i get all raw event in email when using per result throttling field.

raju4244
Explorer

Hi,

I have created an alert with a per result throttling field enabled. This is to get an alert in case of any bad login attempts by the same user, from the same desktop, and to the same destination for more than two times.

In the alert, i have chosen to get a raw event in my email. Whenever a bad login happens, i get an alert with the one line of raw event instead of three or more.

How do i get a all raw event data related to this alert by email?? or do we have any other option to get an email with all raw events whenever a bad login happens which suffices my requirement??

0 Karma

splunker12er
Motivator

Did u tried something like this , in your search query,

your_search_to_filter_bad_login_attempt| stats values(_raw) by _time

Or

 your_search_to_filter_bad_login_attempt| table field1, field2, field3 
0 Karma

raju4244
Explorer

Hi,

i can not uses second table options, as i require raw event.
First can be used, i need to try out.

I feel no issue with search result, as we are getting alert properly when the bad login happens.
Only thing is the report that comes in the mail does not have all raw event.

If there is a 5 bad login event, im expecting raw event of 5 line in the mail.

FYI, The following is my search queries, i have search queries with required fields, nothing more than that.

my_base_search_with_fields

It runs every 5 min, and Alert condition is If number of event is greater than 2 . Alert mode is once per result with throttling of 5 min and Field throttling with my fields (User,Server,IP).

When i use these throttling field i get only one raw event in mail when bad login happens and at the same time when i see the result it shows all the events properly.

I just want to know how do i get a all raw event in mail when throttling field is used???

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...