in this video, we'll use our Splunk search skills to create alerts.
Splunk alerts are based on save searches.
When the conditions you've specified are met, you can set an alert to trigger.
In this example, we've got a search that looks on an index called Firewall for events where Threat name equals sequel injection and then organizes the results into a table with source I p Destination i p. A message.
We could save the search as an alert to run every hour and send an email. If in event matches that search in the time frame
in this other example,
we could have the search continuously run and trigger an alert when there have been more than five events that have triggered for this in the last 10 minutes.
Thes save searches for alerts can be scheduled to run every hour every day or on certain days.
You can also schedule them using chronic CE Russians.
If you're unfamiliar with chronic expressions, I recommend using a site like Contact Group to help you schedule it.
This will give you a lot of flexibility for scheduling and help you to stagger your alerts.
It's a good idea to schedule alerts at different times to spread out the impact of running a search.
You can also do searches in real time where the continuously running.
Typically, it's better to do even a really frequent scheduled search or other than real time searches.
You can set up various actions for an alert, including
multiple actions in response to
a triggered alert. You can, for example, send an email notification when over triggers.
You could also use Web hooks to update a Web resource,
right? The results to a C. S V file
ad alerts to a list of recently triggered alerts.
They're all also a lot of actions that come with APS. For example, a popular ticketing tool called Service now has an app that,
when you set it up, allows you to easily open a ticket.
Phantoms Bronx New purchase
is an automation and orchestration toe,
and it can take events and and kick off more
complex action in response to alerts
to receive phone calls, text notifications
and push notifications you could use once other recent acquisition Vic drops
other good tools for this the integrate with *** like pager duty.
With that, I think it's time to go in and create a practice alert.
I've got two machines I'll be working with in this video.
I have my Splunk search head hosted on this Lennix machine and I have a Windows machine with a universal four door installed.
The Windows machine will serve to generate new events for us to alert on.
I'm looking at the search of reporting app on my search out here, and I've searched for Windows event logs that have an idea of 46
by 46 to 5, which is a code for an account feeling toe log on.
I further specified that I want events where the field for failure reason equals unknown user name or bad password. And then I've run statistics
on the returned events where I'm getting account of events by computer name
and have included other values in the display.
Right now, I've got one event.
One event might be pretty reasonable in this environment,
but maybe I want alerted if there have been more than three of these in lost 60 minutes.
So I'm going to add ah pipe here
and say where count is greater than three
and chooses from for both mode too smart mode because I don't need the full event data. I just want what's, um, going to show up
in this death?
I hope I might have left to go to lunch or didn't do last four hours.
Oh, I didn't leave it wrong.
If you remember. I said there's only one event there, so
Ah, something you could do to check and make sure your search is working is
change. Ah, lower the count you need. So I am getting
results when I lower the count. So if I want to change that back up to three, I could see this as an alert.
So I'm just gonna go up here to save as
and I'm gonna call this
and for description. I'll just say this is in progress. I want to see how this lawyer is doing.
I could set this to run every week, every hour, every day. Um, I'm gonna put it on a Krahn schedule, so I don't have to wait too long to get my results to do that. I'm just going to say,
Looks like it's 54 right now, so I'm gonna give myself a few minutes for this to run
and say I want this to happen
every hour at the 59th minute
and this is gonna check the last 60 minutes.
The results of this
alert will expire in 24 hours, but that doesn't mean the data will disappear
if I want to. I can go back and run this search again
on specify this time frame
of today during these hours and then I can still get the results. But I would need to rerun the search to have those.
I want this alert trigger when the number of results is greater than zero.
I've already specified in the search that I want the count to be higher than three.
And I only want one alert
and then for alert actions. I'm gonna go ahead and say I'd trigger alerts with the severity of medium.
And I'm also gonna want to send an email
on email, descended here, send it to here
and leave that pretty normal.
And if you see this
ah, name with the dollar signs around it. This is called a token and is gonna fill in the name of this alert in here.
So if I want to. I could add extra information like,
um, if this triggers
Or, you know, whatever I want in there, there's gonna be a link to the alert and the results
in the body of the email. But I'm also gonna want to put the results in line. So it will show this that we had in the search back your, um, in the body of the email and also say a touch of pdf,
And with that, I'm gonna save it.
I can view the alert if I want.
So I've got my two actions here. It's currently enabled.
And now I'm gonna hop over to my Windows machine and try and trigger some authentication failures.
So every user called her my knee
Oh, that didn't work.
I don't want it to work.
Just type it away.
That's a good password. Right?
But that's not her password.
So I'm just gonna keep trying to generate these events
so we can get a higher account here.
If I want to take a look at my alert, I can go to settings, searches, reports and alerts.
And I think I called us authentication
failures. Yep. So this tells me the next scheduled time, which should be in a minute here.
There's currently no alerts for it.
um, in a minute, we should see that count go up.
Great. So I've got an alert here. Now,
if I want to take a look at, I go to view Recent.
Here's this alert. Ah, this is
when the results were created.
It ran really quickly, and the status is complete.
So if I click on this year,
I can see the results.
Perfect. So we've got,
results here matching
the search, and this will run every hour
at what did I haven't said it for So it tells me the next time here, So it's gonna run again in just less than an hour.
The other thing I can do is go under activity
and look at triggered alerts
and also show up there as well.
So give the severity here,
and I give you the results from here too, if I want to.
So with that, we've successfully created an alert,
time for quits
when an alert triggers, Splunk can
There's a lot of options here, so I'm gonna help you out.
It's fun. Could send an email,
could read a script
at the alert to triggered events.
Save the results to the machine.
Other app actions
do a cheap post requests,
and with that, we've completed this video
in the next video will be looking at reports and dashboards.