Splunk alerts serve as the backbone of monitoring and incident management. These enable organizations to detect and respond to critical events in real-time. Whether you are a seasoned Splunk user or just starting your data-driven journey, understanding how to configure and utilize alerts is essential for ensuring the stability, security, and performance of your systems.
Noticing scattered bursts of attempted SSH logins, you have been tasked to create an alert that monitors SSH login failures and notifies you of an abundance of such events.
The first step to creating an alert is to make the search query. In this case, you must create a search query that finds events where an unsuccessful SSH login has occurred. The sourcetype of the authentication log is auth. Search for the string that failed it will give you the list of failed logins.
Before creating the alert, it's essential to understand the options you are presented with. Explanation of the key opportunities in the alert menu is described below:
This specifies the name of the alert.
This Specifies whether the alert should only be visible to you or shared with others as well.
Scheduled alerts run at the specified interval. Real-time alerts monitor events in real-time.
It is possible to use Cron syntax to specify the schedule.
Using a Cron Schedule allows you to customize the time range of the search. For example, a time range of "last 15 minutes" would only look for events that happened in the last 15 minutes. https://crontab.guru/every-5-minutes
Specifies how long an alert event will be available on the Triggered Alerts dashboard.
Trigger alert when the Number of Results is more significant than - The signal will trigger when the number of events found by your search term is more important than a specified number.
Trigger once will take a trigger action for all events once the trigger condition is met.
Trigger for each result will take a trigger action for each event separately.
Throttling will suppress the number of times an alert will trigger in a specified time.
This can be useful if your watch has a short time interval and you do not wish to be spammed with too many alert messages.
Specify which steps to take when the alert is triggered.
The most basic action is "Add to Triggered Alerts,” which will add attention to the Triggered Alerts dashboard.
The company's new website is up and running but seems to be acting up at times. It looks like programming errors have crept their way into the code, and the customers have been met with internal server errors. Such issues, should they arise, should be found and dealt with as quickly as possible. Thus, it is up to you to be proactive and to use Splunk to implement a real-time alert, which will catch any such issues.
Currently, if many users get a 500 Internal Server Error from the same web page, then you will be bombarded with alerts. Ideally, you would want to only get one alert per broken web page. That way, you will not get too many unnecessary notifications. To do this, you will once again implement throttling, but you will do so based on a field. This means you will only get an alert message if that field is unique. Duplicates will be throttled for a chosen period.
If you wish to throttle based on a specific field, you need to add that field to the search query. You will be throttling based on the field uri_path, which specifies the path of the API endpoint, which is being queried. It would have been possible to add uri_path to the selected fields when crafting the search. However, now that you have created the alert, you must edit the saved search to include that field. To do that, go to Settings -> Searches, reports, and warnings.
In conclusion, Splunk alerts play a crucial role in empowering organizations to proactively monitor and respond to critical events and anomalies in their data ecosystem. By leveraging the power of Splunk's real-time analytics and alerting capabilities, businesses can gain valuable insights, enhance operational efficiency, and ensure the smooth functioning of their systems.
The best articles, links, and news delivered once a week to your inbox.