Alerting

Scheduled E-mail Alerts not sending when conditions met (I think)....

soniquella
Path Finder

Good afternoon all.

I wonder if you could help me solve this issue I'm experiencing.

I am trying to create a test email alert that notifies me when an EventCode for a successful SQL backup is not matched. This would be scheduled to run at around 22:00 each night (the backup begins at 21:00) but for testing purposes, I set the search to run hourly and scheduled the alert to check that conditions were met hourly.

Search syntax: host=hostservername sourcetype=WinEventLog:Application SQL FIMService EventCode=18264

EventCode show shows successful SQL backup.

The alert trigger to test is currently scheduled to run every hour on the hour and the trigger alert is set to Number of results is equal to 0 *(as it is on every hour up until the scheduled task completes successfully at 21:00 and shortly after). NB: Remember this will be changed back to run once a day at 22:00 after successful testing....

Although the conditions are matched and if I just search this then zero results are found - I still am not receiving any emailed alert?!

Probably something simple but that's me.

Many thanks for any help in advance.

Rob.

0 Karma
1 Solution

bcatwork
Path Finder

I believe that you need a stats function to do some additional analysis on returned events to get 'number of results'.

To add to your query:

host=hostservername sourcetype=WinEventLog:Application SQL FIMService EventCode=18264 | stats count

So in theory, there should be a count of 1 at 22:00 hours daily, but your alert will trigger if count is 0.

View solution in original post

0 Karma

bcatwork
Path Finder

I believe that you need a stats function to do some additional analysis on returned events to get 'number of results'.

To add to your query:

host=hostservername sourcetype=WinEventLog:Application SQL FIMService EventCode=18264 | stats count

So in theory, there should be a count of 1 at 22:00 hours daily, but your alert will trigger if count is 0.

0 Karma

soniquella
Path Finder

Just the job! I knew I was missing something.
Thanks very much! 🙂

0 Karma

soniquella
Path Finder

I have checked the logs also in SPLUNKHOME$/opt/splunk/var/log/splunk (python.log)? but nothing reports failed as if the alert is not even being triggered?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...