Hi @Amadou,

the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor.

I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail.

So what are the conditions that you need to search?

if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string.

Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL?

Ciao.

Giuseppe

Hi @Amadou,

search in aws logs or documentation how to recognize the logfail in aws (e.g. in windows logfail is EventCode=4625) and modify my search.

Ciao.

Giuseppe

Thank you so much, i just find out that it is all about search at any time you receive and index to create an alert you should make a research on this index and the specific request that the user want you detect inside of this index.

example: redshift/  consecutive login failed 

Hi @Amadou,

as I said, you have to find the conditions to search (in other words the words or strings or field values to search)

then you can use the stats command to find the number of occurrences grouped e.g. for host and user.

e.g. in windows if you want an alert with log failed greater than 5, you could run:

index=wineventlog EventCode=4625
| stats count BY host user
| where count>5

 Ciao.

Giuseppe

@gcusello Thank you so much