Splunk Practice Exercise 10: Creating Alerts through Email

Introduction

This practice exercise focuses on creating an alert for status 4xx and sending an email once every hour.

Step 1: Access Splunk Web

1. Open your web browser and navigate to Splunk Web:

   http://<your server ip>:8000

2. Log in using your credentials.

Step 2: Navigate to Search & Reporting App

1. In the Splunk Web interface, go to the Search & Reporting app.

Step 3: Construct the Alert Condition

1. In the search bar, enter the following search query to identify status 4xx events:

Query:

index=tutorial status=4** earliest=-1h latest=now

This will show 4xx errors for the past hour. You can always change the time value that span above 1h for the sake of it having an output.

Step 4: Create the Alert

1. After executing the search query, click on the Save As button.

2. Choose Alert and name it as Hourly 4xx errors - email alert.

3. Alert type - Scheduled

   • Set it to Run every hour

4. Expires in 4 hours

5. Click Add Actions and choose Send email

6. Change the recipient with your email. And customize the subject/message to your liking.

7. Leave everything else in default then save the alert.

Step 5: Confirm Alert Creation

1. Click View alert or go to the Alerts tab.

2. Alert should look similar to the screenshot.

   

3. Alert should check every hour for 4xx errors received for the past hour and will trigger an email alert if there is.

Conclusion

Congratulations! You have successfully completed the practice exercise, creating an alert for status 4xx and configuring it to send an email once every hour. Continue to explore and experiment with different alert configurations and actions to enhance your Splunk skills.