Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create an alert when more than 10 events have appeared in one hour?

josedgaravito
New Member
‎06-14-2019 09:01 AM

Hi, splunkers.

I need to generate an alert when more than 10 events related to the same camera are generated in 1 hour. I have tried with count and other commands but it has not been possible.

the examples of events are:

[2019-06-03 01:22:40] Cámara CAM004: La cámara esta presentando problemas {"Workstation":"192.168.10.2","Camara":"172.16.8.12","estadoSeñal":"Camera Connection Status(Lost)"}.

When a camera fails, they are presented around 20 events in a time range of one hour.

Tags (2)
0 Karma
Reply

jnudell_2
Builder
‎06-14-2019 09:59 AM

Hi @josedgaravito ,

You could try this as well:

 ... [ your base search ] ... earliest=-1h

| rex "Cámara (?<camara>[^:]+):"

| stats count by camara

| where count > 10

This should show results for camara having more than 10 events in the time frame specified.

0 Karma
Reply

Vijeta
Influencer
‎06-14-2019 09:20 AM

@josedgaravito What is the field name for Camera, do you need to extract the fields or are they already extracted? How does your search query look.

0 Karma
Reply

josedgaravito
New Member
‎06-14-2019 10:08 AM

It has no name, they differ by the IP, the field of the camera is IPCamara

0 Karma
Reply

Vijeta
Influencer
‎06-14-2019 10:21 AM

@josedgaravito 

<your search>|bin _time span=1h | stats count by IPCamera _time| where count > 10
0 Karma
Reply

DavidHourani
Super Champion
‎06-14-2019 09:18 AM

Hola @josedgaravito,

I see what you want to do, have a look here, should be a very similar solution :
https://answers.splunk.com/answers/751158/how-to-find-out-falied-login-attemptseventcode4625-1.html#...

Your query should be something like this :

  yourBaseSearch
 | bin _time span=1h 
 | stats count by cameraID,_time
 | where count > 10

Let me know if you need more help.

Cheers,
David

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...