https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175179#M50275 <P>I assume this is some "rules facility" inside of Splunk ES app, right?</P> Fri, 08 May 2015 15:22:40 GMT woodcock 2015-05-08T15:22:40Z https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175178#M50274 <P>I am trying to write a rule that fires if a single source IP creates 40 denied connections to at least 40 destinations in five minutes.</P> <P>| stats count dc(dest) as dest_count, values(dest) as Dest by action, src, signature_id, dest_port | search dest_count&gt;40 AND count &gt; 40 | eval searchtimespanminutes=5</P> <P>Could anyone tell me if using "searchtimespanminutes" is right and will this work? Or any suggestions would be much appreciated. </P> Mon, 28 Sep 2020 19:46:19 GMT https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175178#M50274 Meena27 2020-09-28T19:46:19Z https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175179#M50275 <P>I assume this is some "rules facility" inside of Splunk ES app, right?</P> Fri, 08 May 2015 15:22:40 GMT https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175179#M50275 woodcock 2015-05-08T15:22:40Z https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175180#M50276 <P><CODE>searchtimespanminutes</CODE> is a depricated time modifier that goes after <CODE>earliest=</CODE> at the start of your search (before the first pipe).<BR /> You can read about them here. <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/SearchTimeModifiers">http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/SearchTimeModifiers</A><BR /> So, first... you're not specifying a time modifier... and second, Splunk uses the time modifier to GET the data, and it isn't used as a filter afterwards... at least not like that. So right now, your eval just creates a field, with that name holding the value of 5 and it's not seen as having anything to do with the timespan...</P> <P>As far as an alert is concerned... the way you look at things is a bit different regarding the search:</P> <P>basically you're creating a search for the alert that will trigger under one of the following conditions:<BR /> The two that apply here are "number of results" and/or custom condition which would be <CODE>search dest_count&amp;gt;40 AND count &amp;gt; 40</CODE> or you can leave <CODE>search dest_count&amp;gt;40</CODE> in the search for context (when you look at it in a year) and have the condition be <CODE>count&amp;gt;40</CODE>.<BR /> There is a slightly different set of conditions for a real-time search... <BR /> So you're going to build a search that produces some number of results that the alert structure looks at and uses as a trigger.<BR /> Make sense?</P> <P>If you're looking at historical data to find out if that condition has been met at all... in say, the past year... that's another story. </P> <P>I have something like this watching firewall data from my router and those of a couple of colleagues:</P> <P><CODE>index=syslog action="DROP" host="192.168.1.*"| timechart span=1h count | streamstats avg(count) as Count_Average stdev(count) as Standard_Deviation | eval Count_Average = round(Count_Average,0) | eval Standard_Deviation = round(Standard_Deviation,0) | where count&gt;Count_Average+(2*Standard_Deviation) | rename count as Count</CODE></P> <P>It runs over a span of 7 days and updates a dashboard... which basically shows "weird stuff that should be observed"</P> Fri, 08 May 2015 18:15:23 GMT https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175180#M50276 rsennett_splunk 2015-05-08T18:15:23Z https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175181#M50277 <P>I did try that... didnt work...</P> Tue, 02 Jun 2015 06:23:47 GMT https://community.splunk.com/t5/Splunk-Search/Excessive-Firewall-Denies-query/m-p/175181#M50277 Meena27 2015-06-02T06:23:47Z