Alerting

Need Alert email with the information of triggered candidate and what he trigger??

Rocky31
Path Finder

I created an alert with this SPL( index=_audit action=edit OR action=create OR action=delete OR action=change| stats count by user, action ) but i am receiving email when admin trigger, but in that email i don't see any information about who trigger and what he trigger, can any one help me out of this.

Tags (1)
0 Karma

burwell
SplunkTrust
SplunkTrust

You need to modify the actions of the email alert.

  1. Searches and Reports
  2. Under Alert Actions -> Click to Edit Actions
  3. Maybe you want the inline table

One thing I found helpful was to do something like this to threshold on the number of errors but still see the original events

stats values(_raw) AS raw count as errors | where errors > *threshold* |   table errors raw | mvexpand raw

Rocky31
Path Finder

is that a syntax

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...