How to get Splunk alerts triggered

Create an Alert

1. Add data as Monitor and browse your application log file.



 

2. Review and start search.

3. Save that search as Alert.



Now You will get configuration window, configure as your need.

4. Configure Trigger Actions.



 

5. Save the configuration and got an alert.

Create App Passcode for Authentication

• For Gmail Users:
1. Go to your Google Account.
2. Select Security.
3. Under “Signing in to Google”, select App Passwords. You may need to sign in.
If you don’t have this option, you must set up 2-Step Verification first.
4. Select Other and assign name “Splunk“.
5. Click Generate and copy the 16 character Passcode.
You will use this App Passcode to configure the email settings in Splunk.

• For Yahoo Users:
Since I’m not using Yahoo, You can refer to this instruction.

Configure the email settings in Splunk

1. Navigate to Email Settings.



 

2. Email Settings



• Mail host: Provide the smtp server details and port
smtp.gmail.com:587 for Gmail
smtp.mail.yahoo.com:587 for Yahoo
• Email Security: Enable TLS
• User name: Provide your personal mail ID
• Password: Provide your personal mail password / App PASSCODE
Here we need to understand few things.
The personal mail account could have multi factor authentications. Combinations of password and OTP etc.. This could reject Splunk to use the mail account we had assigned. So we could assign an App Passcode for authentication and things made easier.

Trigger the alert

1. Take actions you set which will trigger the alert.
In my case, I will send a bad request to login with an username that does not exist.

2. Refresh the Alerts page, check Trigger History.

3. Check your email.

4. Check Triggered Alerts.

References