Scheduling Reports and Alerts – Lab Guide

Overview
Welcome to the Splunk Education lab environment. In these labs you will create and schedule a report,
manage the report’s settings, create scheduled and real-time alerts, define alert trigger conditions, define
actions that respond to trigger conditions and view alert settings.
Scenario
You will use data from the international video game company, Buttercup Games. A list of source types is
provided below.

NOTE: This is a lab environment driven by data generators with obvious limitations. This is not a
production environment. Screenshots approximate what you should see, not the exact output.

Index Type Sourcetype Interesting Fields

web Online sales access_combined action, bytes, categoryId, clientip, itemId,
JSESSIONID, price, productId, product_name,
referer, referer_domain, sale_price, status, user,
useragent

security Web server linux_secure action, app, dest, process, src_ip, src_port, user,
vendor_action

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 1
Common Commands and Functions
These commands and statistical functions are commonly used in searches but may not have been explicitly
discussed in the module. Please use this table for quick reference. Click on the hyperlinked SPL to be taken to
the Search Manual for that command or function.
SPL Type Description Example

Sorts results in Sort the first 100 src_ip values in descending order
descending or ascending
sort command
order by a specified field.
| sort 100 -src_ip
Can limit results to a
specific number.

Return events with a count value greater than 30

Filters search results
where command
using eval-expressions.
| where count > 30
Rename SESSIONID to 'The session ID'
Renames one or
rename command
more fields.
| rename SESSIONID as "The session ID"

Remove the host field from the results

Keeps (+) or removes (-)
fields command
fields from search
| fields - host
results.

Calculate the total sales, i.e. the sum of price values

Calculates aggregate
stats command
statistics over the
results set.
| stats sum(price)

Concatenate first_name and last_name values with a

Calculates an expression space to create a field called "full_name"
eval command and puts the resulting
value into a new or
existing field.
| eval full_name=first_name." ".last_name

Output vendorCountry, vendor, and sales values to

table command Returns a table. a table

| table vendorCountry, vendor, sales

Returns the sum of the Calculate the sum of the bytes field
statistical values of a field. Can be
sum() function used with stats,
timechart, and chart
| stats sum(bytes)
commands.
Count all events as "events" and count all events that
Returns the number of contain a value for action as "action"
occurrences of all events
count or statistical
or a specific field. Can | stats count as events,
count() function
be used with stats, count(action) as action
timechart, and chart
commands.

Refer to the Search Reference Manual for a full list of commands and functions.
© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 2
Lab Exercises
Configure the lab environment user account.

Task 1: Log into Splunk and change the account name and time zone.

Set up your lab environment to fit your time zone. This also allows the
instructor to track your progress and assist you if necessary.
1. Log into your Splunk lab environment using the username and
password provided to you.
2. You may see a pop-up window welcoming you to the lab environment.
You can click Continue to Tour but this is not required. Click Skip to
dismiss the window.
3. Click on the username you logged in with (at the top of the screen) and
then choose Account Settings from the drop-down menu.
After you complete step 6,
4. In the Full name box, enter your first and last name.
you will see your name in
5. Click Save. the web interface.
6. Reload your browser to reflect the recent changes to the interface.
(This area of the web interface will be referred to as user name.)

NOTE: Sometimes there can be delays in executing an action like saving in the UI or returning results
of a search. If you are experiencing a delay, please allow the UI a few minutes to execute
your action.

7. Navigate to user name > Preferences.

8. Choose your local time zone from the Time zone drop-down menu.
9. Click Apply.
10. (Optional) Navigate to user name > Preferences > SPL Editor > Search auto-format and click on the
toggle to activate auto-formatting. Then click Apply. When the pipe character is used in search, the SPL
Editor will automatically begin the pipe on a new line.

Search auto-format disabled (default)

Search auto-format enabled

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 3
Scenario: Create a scheduled report for failed root logins over the last 24 hours.

Task 2: Save a search as a report.

1. Navigate to the Apps > Search and Reporting.

2. Execute the following search over the Last 24 hours to find failed root logins (fail* root) from the web
server (sourcetype=linux_secure):

index=security sourcetype=linux_secure password fail* root

3. From the Save As menu (located above the time picker), select Report.
a. Title: analyst_report_FailedRootLoginsLast24Hours
b. Time Range Picker: Yes
c. Click Save.
4. In the Your Report Has Been Created dialog box, click View.

5. Click Reports. You can see the reports to which you have access. (You can re-execute a report by clicking
the title, or view or edit the search by clicking Open in Search.) Examine the All, Yours, and This App’s
list of saved reports.

6. For the analyst_report_FailedRootLoginsLast24Hours report, click Open in Search.

7. Save your search as a report with the name L1S1.
a. Click Save As > Report
b. For Title, enter L1S1.
c. Save.

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 4
 d. You can View your report or exit out of the Your Report Has Been Created window by clicking
the X in the upper-right corner.
e. You can access your saved reports using the Reports tab in the application bar.

Your recently saved L1S1 report will be visible in the Reports tab.

Task 3: Schedule the failed logins report (L1S1) to run daily at 6 am.

8. If necessary, from the App drop-down menu, choose Search and Reporting to return to the Search view.
9. In the App navigation bar, click Reports.
10. For the row containing your L1S1 report, click Edit.
11. Select Edit Schedule.
12. Select Schedule Report.
13. Make the following selections:
a. Schedule: Run every day
b. At: 6:00
c. Time Range: Last 24 hours
d. Schedule Priority: Default
e. Schedule Window: 2 hours
14. Click the +Add Actions button to send an email when the scheduled report is triggered.
15. Select Send email.
16. Configure the Trigger Action as follows:
a. To: [email protected]
17. Leave all other options as default.
18. Click Save.

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 5
Scenario: Create a real-time alert for multiple failed logins.

Task 4: Create a search to identify specific types of failed logins.

19. Click Search.

20. Search for all events in the Linux secure logs over the Last 60 minutes.
21. Add the keywords failed password NOT invalid then, re-run the search.

index=security sourcetype=linux_secure failed password NOT invalid

Task 5: Create and view an alert.

22. From the Save As menu, select Alert.

a. Title: <student name>- Login Attempts
b. Permissions: Private
c. Alert type: Real-time
d. Expires: 24 hour(s).
e. Trigger alert when: Number of Results
f. Set the number of results to is greater than 0 in 1 minutes(s).

NOTE: This setting is set to 0 for testing. Once the alert is verified, you can change this value.

g. Trigger: For each result

h. Select Throttle.
i. Suppress results containing field value: host
j. Suppress triggering for: 60 second(s)
k. Click +Add Actions and select Add to Triggered Alerts.
l. Set the Severity to High.
m. Click Save.

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 6
23. Click View Alert. You should see an overview screen describing your new alert.

24. From the Splunk bar, click Activity > Triggered Alerts.
25. Select your name from the Owner menu and view the triggered alerts.

NOTE: It may take a few minutes for your alert to appear.

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 7
26. Click the View results link on a triggered alert to see the event(s) that caused the alert.

Task 6: Save the alert results as a report.

27. Click Save As and select Report.

28. For Title, enter L1S2.
29. Click Save.

Task 7: Disable the alert.

30. From the Apps drop-down menu, select Search and Reporting to return to the Search view.
31. In the App navigation bar, click Alerts.
32. For the row containing your alert, click Edit, then select Disable.
33. When the Disable dialog box appears, click Disable

© 2021 Splunk Inc. All rights reserved. Scheduling Reports and Alerts 13 December 2021 8