Re: Newly created Sourcetype should alert in Splun...

anandhalagarasa · ‎10-22-2019

Hi Team,

I have a requirement that to ingest a particular logs from a client machine so I have created a custom app with inputs in place. i.e. with source & sourcetype. Here sourcetype i have created newly as abcd. And I have pushed the custom app from Deployment server which in turn its getting applied to indexers and the log has been ingested into Splunk Cloud.

My query is that for each and every sourcetype which we create newly should be reported to Security Operations team so that they will keep track of it.

For example if a new sourcetype has been created and deployed from our end then the same day or the consecutive day an email has to be triggered to Security Operations team.

So what would be the search query to fetch the data.

gcusello · ‎10-22-2019

Hi anandhalagarasan,
if you want a daily check you could schedule an alert running e.g. at 00.15 with a search like this one:

index=_internal earliest=-d@d latest=@d
| stats dc(date_mday) AS count_day max(date_mday) AS day BY sourcetype
| eval checkdate=if(day=tonumber(strftime(now(),"%d"))-1,"OK","NOK")
| where checkdate="OK" AND count_day>1

Remember that it isn't a good idea to have too many sourcetypes and that all the knowledhe object (as fields, tags, eventtypes, etc...) are related to sourcetype, so if you continuosly add new ones it's more difficolut to use them.

Ciao.
Giuseppe

Newly created Sourcetype should alert in Splunk Alerts

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases