Create the Search --> Save the Search --> Build a Report
Create the Search
- Search path field in Splunk>
(This will search through all the data in your indexes and build a custom"OSSEC_RULE" field within your search criteria. The OSSEC_RULE field will specify each reported "Rule: ????" from your OSSEC alerts)
- Select "Last 24 hours" from time line drop down menu
- Click the green arrow to perform your search!
- When the alerts start building into your page you will notice the "OSSEC_RULE" field on the left hand side of your Splunk Search page, along with the other fields.
- If it is not there, click on the "All ??? fields" link, locate the OSSEC_RULE field, click on the green arrow to add it to your "Selected fields" and click the "Save" button. Now you should see the OSSEC_RULE field on the left hand side. If you still don't see it, check and make sure search criteria is correct.
Save the Search
- Now click on "Save search" located on the top right of the Splunk Search page
- Create a custom Name, Description, Time range and click the "Schedule this search" check box, then click the Save button
Build a Report
- Now click on "Build report" located next to the Save Search link
- Click the "Define report data through a form" link
- Select 24hrs from the Time Range dropdown menu, then click the Next button to format the report
- In the Report type drop down menu select "Rare values"
- Now select "OSSEC_RULE" from the drop down menu for the specific Field to use for the report
- Click the "Next Step" button to format the report
(Check out all of the OSSEC Rules that were found in your Splunk system...kind of cool)
- Choose the Chart type, Chart title, click apply then click the "Save" button on the top menu
- Create a Name, Description, Time Range then click "Schedule this search".
- Select the Schedule Type alert conditions and actions, then click Save
- Now you will be able to add this report to your dashboard or based on the action you select, run a script when a condition is met or email the report
Simple as pie!