Alerting
Highlighted

Auth timeouts from duplicate NAS IP

New Member

I am wanting to trigger an alert when there are multiple auth timeouts from a single NAS IP. I am using the search below to find the auth timeouts and am creating an alert from that search. But I want the trigger condition to be if we see 10 or more of these timeouts from a single NAS IP without having to create an individual alert per NAS IP.

host = "auth-server" "login_status=timeout"

Labels (1)
0 Karma

Re: Auth timeouts from duplicate NAS IP

Ultra Champion
host = "auth-server" "login_status=timeout"
|stats count by NAS_IP
| where count >= 10

fire alert event count > 0

Highlighted

Re: Auth timeouts from duplicate NAS IP

New Member

Thank you. When I use this in the search, nothing shows up - even if I change it to "where count >= 1". Any ideas?

0 Karma
Highlighted

Re: Auth timeouts from duplicate NAS IP

Ultra Champion

I don't know your log has NAS_IP field.
you should change it your field.

host = "auth-server" "login_status=timeout"
Why do you search the strings "login_status=timeout" ?
loginstatus_ is nothing?

see: https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf

0 Karma