https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426308#M7426 <P>It has no name, they differ by the IP, the field of the camera is IPCamara</P> Fri, 14 Jun 2019 17:08:33 GMT josedgaravito 2019-06-14T17:08:33Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426304#M7422 <P>Hi, splunkers.</P> <P>I need to generate an alert when more than 10 events related to the same camera are generated in 1 hour. I have tried with count and other commands but it has not been possible.</P> <P>the examples of events are: </P> <P><STRONG>[2019-06-03 01:22:40]</STRONG> Cámara CAM004: La cámara esta presentando problemas {"Workstation":"192.168.10.2","Camara":"172.16.8.12","estadoSeñal":"Camera Connection Status(Lost)"}.</P> <P>When a camera fails, they are presented around 20 events in a time range of one hour. </P> Fri, 14 Jun 2019 16:01:56 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426304#M7422 josedgaravito 2019-06-14T16:01:56Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426305#M7423 <P>Hola @josedgaravito,</P> <P>I see what you want to do, have a look here, should be a very similar solution :<BR /> <A href="https://answers.splunk.com/answers/751158/how-to-find-out-falied-login-attemptseventcode4625-1.html#answer-751164">https://answers.splunk.com/answers/751158/how-to-find-out-falied-login-attemptseventcode4625-1.html#answer-751164</A></P> <P>Your query should be something like this :</P> <PRE><CODE> yourBaseSearch | bin _time span=1h | stats count by cameraID,_time | where count &gt; 10 </CODE></PRE> <P>Let me know if you need more help.</P> <P>Cheers,<BR /> David</P> Fri, 14 Jun 2019 16:18:53 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426305#M7423 DavidHourani 2019-06-14T16:18:53Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426306#M7424 <P>@josedgaravito What is the field name for Camera, do you need to extract the fields or are they already extracted? How does your search query look.</P> Fri, 14 Jun 2019 16:20:10 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426306#M7424 Vijeta 2019-06-14T16:20:10Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426307#M7425 <P>Hi @josedgaravito ,</P> <P>You could try this as well:<BR /> <PRE> ... [ your base search ] ... earliest=-1h<BR /> | rex "Cámara (?&lt;camara&gt;[^:]+):"<BR /> | stats count by camara<BR /> | where count &gt; 10</PRE></P> <P>This should show results for camara having more than 10 events in the time frame specified.</P> Fri, 14 Jun 2019 16:59:52 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426307#M7425 jnudell_2 2019-06-14T16:59:52Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426308#M7426 <P>It has no name, they differ by the IP, the field of the camera is IPCamara</P> Fri, 14 Jun 2019 17:08:33 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426308#M7426 josedgaravito 2019-06-14T17:08:33Z https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426309#M7427 <P>@josedgaravito </P> <PRE><CODE>&lt;your search&gt;|bin _time span=1h | stats count by IPCamera _time| where count &gt; 10 </CODE></PRE> Fri, 14 Jun 2019 17:21:42 GMT https://community.splunk.com/t5/Alerting/How-to-create-an-alert-when-more-than-10-events-have-appeared-in/m-p/426309#M7427 Vijeta 2019-06-14T17:21:42Z