https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57431#M11216 <P>Works great! Thanks.</P> Tue, 12 Mar 2013 14:51:08 GMT vragosta 2013-03-12T14:51:08Z https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57429#M11214 <P>I have the following alert created in Splunk to alert me when the number of firewall drops exceeds 30 within a specified time span:</P> <PRE><CODE>source="udp:514" error_code=106001 | stats count as NumDrops by src_ip | where NumDrops &gt; 30 </CODE></PRE> <P>When I receive the email for this alert, the attached csv file contains only the src_ip and NumDrops fields. This is understandable, as this is what the search returns. However, I would like to see each individual log that comprises this search in the alert email. How would I go about doing this? Do I need to somehow chain the searches, whereby I find out which src_ip triggers the alert and then perform another search using this src_ip?</P> <P>Thanks!</P> Mon, 28 Sep 2020 13:29:29 GMT https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57429#M11214 vragosta 2020-09-28T13:29:29Z https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57430#M11215 <P>You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.</P> Mon, 11 Mar 2013 21:22:31 GMT https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57430#M11215 martin_mueller 2013-03-11T21:22:31Z https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57431#M11216 <P>Works great! Thanks.</P> Tue, 12 Mar 2013 14:51:08 GMT https://community.splunk.com/t5/Getting-Data-In/Alert-by-Source-IP-Where-Threshold-Exceeded/m-p/57431#M11216 vragosta 2013-03-12T14:51:08Z