Alerting
Highlighted

Auth timeouts from duplicate NAS IP

New Member

I am wanting to trigger an alert when there are multiple auth timeouts from a single NAS IP. I am using the search below to find the auth timeouts and am creating an alert from that search. But I want the trigger condition to be if we see 10 or more of these timeouts from a single NAS IP without having to create an individual alert per NAS IP.

host = "auth-server" "login_status=timeout"

Labels (1)
0 Karma
Highlighted

Re: Auth timeouts from duplicate NAS IP

Ultra Champion
host = "auth-server" "login_status=timeout"
|stats count by NAS_IP
| where count >= 10

fire alert event count > 0

Highlighted

Re: Auth timeouts from duplicate NAS IP

New Member

Thank you. When I use this in the search, nothing shows up - even if I change it to "where count >= 1". Any ideas?

0 Karma
Highlighted

Re: Auth timeouts from duplicate NAS IP

Ultra Champion

I don't know your log has NAS_IP field.
you should change it your field.

host = "auth-server" "login_status=timeout"
Why do you search the strings "login_status=timeout" ?
loginstatus_ is nothing?

see: https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.