Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to configure splunk to send all alerts in one email ?

Pikta
Explorer
‎04-22-2021 04:58 AM

Hello all,

It's my second day with a Splunk and I cant understand a splunk logic. I created a alert search. It works fine. As a search result I have a table:

IP address   username broken_rule   count_of_broken_rules
192.168. ...    aaa             rule_name       75
192.168...      bbb             rule_name       74
199.188...      ccc              rule_name       20
How can You see in picture, I configured alert to send an email when count of broken rules is more than 60.  It must to send an email every hour. If I choose an option "Once" I am getting an email only with a one (first) record. But I want to get an email with a second record too. If i choose an option "for each result" I am getting an email for all records. It doesnt matter, that the the third record does not meet the requirement> 60. I want to get one email with the two record (from a example with first and second records). What I am doing wrong?

 

Pikta_0-1619092188036.png

 

Labels (2)
Labels
0 Karma
Reply

Pikta
Explorer
‎04-22-2021 06:19 AM

@richgalloway 
Thanks for an answer. I will try it. But how to configure Splunk, that it will send an email with all records in one email? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-22-2021 06:49 AM

You did that before.  Select the "Trigger Once" option.  That's always worked for me and I've never had an alert contain only the first result.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Pikta
Explorer
‎04-22-2021 11:11 PM

Hi @richgalloway 
Does your email  "message" field has any text?  I wrote in this field this  text. Maybe it is a reason, why I am getting email only with the first result? 

Pikta_0-1619157507332.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2021 05:07 AM

Yes, I always include something in the Message field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-22-2021 06:15 AM

The alert is set to trigger when the number of results is greater than 60, without regard to the value of the results.

In my experience, it's better to have the alert search for and show only the results that meet the criteria for the alert.  For instance

... | where count_of_broken_rules > 60

then set the alert to trigger when the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...