Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to alert when the count is greater than 10000 and send me a list of the top 10 SRC_IP?

fmpa_isaac
Path Finder
‎02-25-2016 11:48 AM

Can someone please help me finish an alert I am trying to do below? I would like to set the alert to notify me once the count reaches 10k and then send me a list of the top 10 SRC_IPs. However, when I put in the search count > 10000, it removed the src_ip entries.

Here is my search string so far.

sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port  | sort - by count | rename src_ip as Src, dest_ip as Dest, dest_port as Port | addcoltotals
0 Karma
Reply

dturnbull_splun
Splunk Employee
Splunk Employee
‎02-25-2016 02:07 PM

Use the custom condition in your alert :

where count > 1000
0 Karma
Reply

fmpa_isaac
Path Finder
‎02-26-2016 05:48 AM

thank you, that worked on the alert. All I need now is to report the top x while keeping an "Other" count at the bottom.

0 Karma
Reply

fmpa_isaac
Path Finder
‎02-25-2016 12:30 PM

I would also need the top 10 plus a line totaling the OTHER count as well.

0 Karma
Reply

0YAoNnmRmKDg
Path Finder
‎02-25-2016 12:22 PM

Hi,

you could just set the number of results in the alert triggers wizard to 10000 events?

http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Defineper-resultalerts

then just use something like

index = _internal | stats count by source | top limit=5 source

so you would have

my_awesome_search | top limit=10 Src

Cheers

0 Karma
Reply

fmpa_isaac
Path Finder
‎02-25-2016 12:29 PM

Thank you.

But that the problem. When I put the 10k in the alert trigger, it's just like putting it in the search string where it then removed all other records. I would also need the top 5 plus a line totalling the OTHER count as well.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...