topic Re: How to alert when a field value has > 500 events in Splunk Search

How to alert when a field value has > 500 events?

mninansplunk — Thu, 15 Jun 2023 18:02:12 GMT

Hello,

I'm not sure how to achieve this. I need to create an alert for when a field (user) value has > 500 events for when another field (eventType) is filtered on a specific value.

i.e.

User: John

EventType: Blocked

I can't figure it out. Here's what I have so far:

Thanks for any help on this,

Tom

Re: How to alert when a field value has > 500 events

yuanliu — Wed, 14 Jun 2023 15:39:03 GMT

Would this do

|stats count by user, eventType | where eventType == "Blocked" AND count > 500

(Note your code sample says eventType while the text description says EventType.)

Re: How to alert when a field value has > 500 events

mninansplunk — Thu, 15 Jun 2023 13:16:26 GMT

Perfect, that did the trick, thank you for the help.