Alerting
Highlighted

Custom Trigger Condition -- How do I write this basic rule?

Engager

Hi All,

I have a very basic alert I want to setup. Essentially I want to trigger an alert when Splunk sees more then X amount of deny logs from the same source address.

I can create an alert if its sees more then X amount of deny logs but I am only interested when a high ammount of denies come from a single source.

If I could see how this is written the logic can be used to create countless other alert conditions. I appreciate any help. Below is a sample deny log

Apr  8 13:45:20 192.168.100.1 1 2014-04-08T13:45:21.129-04:00 FW RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="192.55.66.44" source-port="7986" destination-address="172.19.2.1" destination-port="2000" service-name="junos-sccp" protocol-id="6" icmp-type="0" policy-name="DENY-LOG(global)" source-zone-name="trust" destination-zone-name="trust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="vlan.3" encrypted="UNKNOWN" reason="policy deny"] session denied 192.55.66.44/7986->172.19.2.1/2000 junos-sccp 6(0) DENY-LOG(global) trust trust UNKNOWN UNKNOWN N/A(N/A) vlan.3 UNKNOWN policy deny
Tags (2)
Highlighted

Re: Custom Trigger Condition -- How do I write this basic rule?

SplunkTrust
SplunkTrust

You'd do something like this:

base search yielding deny events | stats count by source-address | where count > X

I'm assuming you're looking at the field source-address, fill in a value for X. Define an alert to trigger whenever this search yields events.

Highlighted

Re: Custom Trigger Condition -- How do I write this basic rule?

Engager

Hi,

I am a little confused. I created a regular search looking for the word deny. This matches all the deny logs from my firewall.

From there I saved the search as an alert. Now under the trigger condition selected custom and put the following

stats count by source-address | where count > 5

This is a realtime search looking at the past 1 minute.

What am I doing wront here?

0 Karma
Highlighted

Re: Custom Trigger Condition -- How do I write this basic rule?

SplunkTrust
SplunkTrust

The stats should be part of the saved search. The where can be part of the search as well, or it can be defined in the trigger condition.

0 Karma
Highlighted

Re: Custom Trigger Condition -- How do I write this basic rule?

New Member

Does this work

base search calculates value of Lot1

Can I use Lot1 like below

where Lot1 > 80
0 Karma