I would like to write a query for an IP which is targeting every day to my system. I would like to make a trend diagram OR alert to showcase these kind of IP's.
But with time chart command, I am unable to fulfill the need.
Example: one IP is scanning my system, every day at 8'O clock in the morning for past 7 days. Then it should trigger an alert.
with time chart I can make the time line with spikes, but not able to trigger alert for above one.
what is your timechart query?
the query is "index=firewall_log | timechart span=1h count BY IP"
It gives a time line only.
"index=firewall_log | timechart span=1h count BY IP"
What I need is that an alert should trigger, when a suspicious IP making trend of is accessing my network, "every day same time over a period of time"