Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating a search to check the if any user has sent more than 100 emails per hour

singriajay
Explorer
‎07-22-2019 02:25 AM

Hi Team,

I have used the below search to find the top senders 

eventtype=cisco-esa | transaction keepevicted=true icid mid | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" threat_reason="*" | stats count by sender,recipient,threat_reason,host,sender_reputation,policy_direction,_time | top sender

But I need to create an alert if any sender has sent emails more than 25 per hour

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2019 05:38 AM

If you want an alert when something happens, then you need to search for that something.

eventtype=cisco-esa earliest=-60m 
| transaction keepevicted=true icid mid 
| search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" threat_reason="*" 
| stats count, values(recipient) as recipients, values(threat_reason) as threat_reasons, values(host) as hosts, values(sender_reputation) as sender_reputation, values(policy_direction) as policy_direction, values(_time) as _time by sender
| where count>100
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

singriajay
Explorer
‎07-22-2019 09:44 PM

Hi richgalloway,

I wanted to get the count of senders to multiple users; in the above query we get only the count of senders per recipient.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2019 05:55 AM

The above answer displays "any sender has sent emails more than 25 per hour". To get sender/recipient pairs, try this:

eventtype=cisco-esa earliest=-60m 
 | transaction keepevicted=true icid mid 
 | search host="*" sender="*" recipient="*" dest_interface="*" policy_direction="*" threat_reason="*" 
 | stats count, values(threat_reason) as threat_reasons, values(host) as hosts, values(sender_reputation) as sender_reputation, values(policy_direction) as policy_direction, values(_time) as _time by sender,recipient
 | where count>100
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...