Auth timeouts from duplicate NAS IP

mattbfrederick · ‎03-31-2020

I am wanting to trigger an alert when there are multiple auth timeouts from a single NAS IP. I am using the search below to find the auth timeouts and am creating an alert from that search. But I want the trigger condition to be if we see 10 or more of these timeouts from a single NAS IP without having to create an individual alert per NAS IP.

host = "auth-server" "login_status=timeout"

to4kawa · ‎04-01-2020

host = "auth-server" "login_status=timeout"
|stats count by NAS_IP
| where count >= 10

fire alert event count > 0

mattbfrederick · ‎04-01-2020

Thank you. When I use this in the search, nothing shows up - even if I change it to "where count >= 1". Any ideas?

to4kawa · ‎04-01-2020

I don't know your log has NAS_IP field.
you should change it your field.

host = "auth-server" "login_status=timeout"
Why do you search the strings "login_status=timeout" ?
login_status is nothing?

see: https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf

Auth timeouts from duplicate NAS IP

alert condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation

Auth timeouts from duplicate NAS IP

alert condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights