topic search by specific condition within time range in Splunk Search

search by specific condition within time range

hjwang — Wed, 27 Oct 2010 14:13:34 GMT

Hello,i would like to search the specific ip attack events within the specific time range for real time,e.g. if the attack events of one IP are more than 5 times, splunk will send an alert. i use host="xxx" eventtype="specific_ip"| timechart span=1m count(SRC_IP) by SRC_IP, it can show the attack times table group by SRC_IP within each 1min time range, now how can i just pick the attack times more than 3 times, that is to say if there exists such one event(>=3), then spluck will send an alert?Thanks

Re: search by specific condition within time range

Michael_Wilde — Wed, 27 Oct 2010 20:35:24 GMT

instead of using "timechart" you might consider this..

host="xxx" eventtype="specific_ip" earliest=-1m@m| stats count by src_ip | where count >=3

This search says... in the last minute (on the minute) summarize the count events by src_ip, where any cell in the "count" column stats table is greater than or equal to three.

you also might schedule this search to run every minute. 3 failed logins is a rather simplistic search. You might consider looking at a successful login after three failed logins.

Re: search by specific condition within time range

hjwang — Mon, 28 Sep 2020 09:19:53 GMT

Thanks,Michael, if i use earliest command, the time's span can not be shown in search result table, only (src_ip, count). i wanna show like (_time, src_ip, count) but if i use timechart...| where count>=3, the search result table would not be displayed.