Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correct way to do count over time

Vantine
Engager
‎12-13-2023 05:39 AM

Trying to set up an alert to show any log in that has had 500 log on failures in under 30 min.

 

Here is what I currently have (with non relevant data changed)

index=* sourcetype=* action=failure EventCode=4771 OR EventCode=4776 | bucket _time span=30m | stats count by user | where count>500

I want to make sure this is correct.

 

Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-13-2023 10:15 AM

Hi @Vantine,

don't use timechart:

index=eits_wineventlog_security sourcetype=WinEventLog (EventCode=4771 OR EventCode=4776)
| bin span=60m _time
| stats count BY user _time
| where count>5

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-13-2023 05:44 AM

Hi @Vantine,

yes it's correct.

You're speaking of windows log so you could simplify (and make faster) your search in this way:

index=wineventlog sourcetype=wineventlog EventCode=4771 OR EventCode=4776 
| timechart span=30m count by user 
| where count>500

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Vantine
Engager
‎12-13-2023 09:24 AM

Wasnt getting results, so I went longer and smaller errors. Still not getting anything.

Here is how I have it

index=eits_wineventlog_security sourcetype=WinEventLog  EventCode=4771 OR EventCode=4776

| timechart span=60m count by user
| where count>5

I know for sure we have had enough failures to at least get a few.

Thanks

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-13-2023 10:15 AM

Hi @Vantine,

don't use timechart:

index=eits_wineventlog_security sourcetype=WinEventLog (EventCode=4771 OR EventCode=4776)
| bin span=60m _time
| stats count BY user _time
| where count>5

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...