How to generate an alert based on new database tab...

cjs1031 · ‎03-10-2017

I am new to Splunk, very green. I have a DB search that I need to run and I have the search string I need but when I setup an alert, the alert is checking the results and sending them all to me. Basically, each time a new entry hits that table I need it to send me an email with just the new entrie(s). I imagine this is very simple to do but again, I am green. Here is my string.

index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login

the_wolverine · ‎03-13-2017

Trying specifying a timerange either in your query syntax, then schedule the search to run every hour:

e.g.
index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 earliest=-1h latest=now | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login

In configuration, set the alert to email when there are greater than 0 events.

cjs1031 · ‎03-13-2017

Hi thanks!

Actually I found more to this, so there is a different column I need to base this on "create_date". So I think you are on the right track so something like this:
index=main sourcetype=trims_tblXUsersRoles_audit xcomp_access_role_id=3 create_date="" | stats values(user_id) as userID by Action_date,Action,xcomp_access_role_id,create_login,create_date

What can I do with the "create_date" to pickup the newest creation date when this job runs every 5mins?

How to generate an alert based on new database table entry?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!