Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an alert when a single ip address exceeds the OTHER or another arbitrary IP address?

jptechnical
Explorer
‎04-14-2015 10:26 AM

I have a very simple search showing me a nice spike when a single (or multiple) IP address exceeds the OTHER addresses, and in particular the reverse proxy. I also exclude an arbitrary address that has a high amount of traffic.

index=websrv sourcetype=iis NOT "10.1.1.3"  NOT "10.1.2.3"  | timechart  count by c_ip

How can I make this into an alert when a single IP address exceeds either OTHER OR the address for the proxy (let's say it's address is 10.1.1.50)?

Any help will be much appreciated. My eyes hurt from trying to figure what is probably a super simple issue.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 05:51 PM

Hello!
First of all, i need you to follow the link bellow, to undertand how an ip address can be bigger than an other.
http://stackoverflow.com/questions/3664986/how-would-you-compare-two-ip-addresses-to-see-which-one-i...
Second let suppose that you want to trigger an alert when a single IP address exceeds the address for the proxy (let's say it's address is 10.1.1.50).
Third, i will use a regular expression to extract each octed of the ip address with the proxy address, before make my comparision.
Fourth, you just need to lauch the search, save it as an alert an configure it as you need. Tested, and it is working perfectly.

Here is the query:

index=websrv sourcetype=iis NOT "10.1.1.3"  NOT "10.1.2.3" c_ip=*| rex "c_ip=(?<firstoct>\d+)\.(?<secondoct>\d+)\.(?<thirdoct>\d+)\.(?<fourthoct>\d+)\s" | eval exceed=if((firstoct)>10, 1,if( (firstoct==10) AND (secondoct>1) ,1,if((firstoct==10) AND (secondoct==1) AND (thirdoct>1),1,if((firstoct==10) AND (secondoct==1) AND (thirdoct==1) AND (fourthoct>1),1,0))))|where exceed==1|timechart values(exceed) by c_ip

Please let me know, if any issue

SGF

View solution in original post

Reply
Solved! Jump to solution

Runals
Motivator
‎04-18-2015 05:12 AM

Similar to stephanefotso I'd look at the eventstats command

index=websrv sourcetype=iis NOT (whatever) | stats count as hits by c_ip | eventstats avg(hits) as avg_hits stdev(count) as stdev_hits | where hits > avg_hits * (stdev * 2)

I think I have that right; been a while since I've used stdev. Of course based on volume of traffic you could start by simply looking at where hits > avg_hits.

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 05:51 PM

Hello!
First of all, i need you to follow the link bellow, to undertand how an ip address can be bigger than an other.
http://stackoverflow.com/questions/3664986/how-would-you-compare-two-ip-addresses-to-see-which-one-i...
Second let suppose that you want to trigger an alert when a single IP address exceeds the address for the proxy (let's say it's address is 10.1.1.50).
Third, i will use a regular expression to extract each octed of the ip address with the proxy address, before make my comparision.
Fourth, you just need to lauch the search, save it as an alert an configure it as you need. Tested, and it is working perfectly.

Here is the query:

index=websrv sourcetype=iis NOT "10.1.1.3"  NOT "10.1.2.3" c_ip=*| rex "c_ip=(?<firstoct>\d+)\.(?<secondoct>\d+)\.(?<thirdoct>\d+)\.(?<fourthoct>\d+)\s" | eval exceed=if((firstoct)>10, 1,if( (firstoct==10) AND (secondoct>1) ,1,if((firstoct==10) AND (secondoct==1) AND (thirdoct>1),1,if((firstoct==10) AND (secondoct==1) AND (thirdoct==1) AND (fourthoct>1),1,0))))|where exceed==1|timechart values(exceed) by c_ip

Please let me know, if any issue

SGF
Reply
Solved! Jump to solution

jptechnical
Explorer
‎04-15-2015 08:01 AM

Oh that is awesome. But I can see how my question was less than clear. I thank you a TON for replying, and indeed the query did work!

What I am looking for is hits on a website. Basically all web traffic goes through a reverse proxy outside. However, if we have a misconfigured device from time to time internally that will get stuck in a loop and hit the website thousands of times in a short period of time, I want to catch it before others suffer the essential accidental DoS. So, what I am looking for is when a single IP address hit count exceeds the hitcount of the IP address that is the reverse proxy (10.1.1.50 (which should have the highest hit count), I would like to make an alert that this has occurred. The other addresses are devices that do routine maintenance and occasionally slam the server, but it occurs at a time we aren't worried about, which why I am excluding them.

Does this help?

Any thank you VERY much for the reply, I already have an idea how to put that to use now that I see how it works 🙂

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-15-2015 04:15 PM

Thanks for the explanation jptechnical. Please can you let me know how to get the hit count of an ip address?

SGF
0 Karma
Reply
Solved! Jump to solution

jptechnical
Explorer
‎04-17-2015 11:29 AM

| timechart count by c_ip

generates a chart with the number of events matching "c_ip"

That is what I want, number of events of "c_ip" and an alert if any single value for c_ip events exceeds the events matching c_ip=10.1.1.50

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-18-2015 01:40 AM

Ha ok. I think i get you now. Here you go:

        index=websrv sourcetype=iis NOT "10.1.1.3"  NOT "10.1.2.3"  NOT c_ip="10.1.1.50"|eventstats count(c_ip) as count_ip by c_ip|join [search  index=websrv sourcetype=iis NOT "10.1.1.3"  NOT "10.1.2.3" c_ip= "10.1.1.50"|stats count as count_proxy]|where count_ip>count_proxy|timechart count by c_ip
SGF
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...