Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to alert when the count is greater than 10000 and send me a list of the top 10 SRC_IP?

fmpa_isaac
Path Finder
‎02-25-2016 11:48 AM

Can someone please help me finish an alert I am trying to do below? I would like to set the alert to notify me once the count reaches 10k and then send me a list of the top 10 SRC_IPs. However, when I put in the search count > 10000, it removed the src_ip entries.

Here is my search string so far.

sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port  | sort - by count | rename src_ip as Src, dest_ip as Dest, dest_port as Port | addcoltotals
0 Karma
Reply

dturnbull_splun
Splunk Employee
Splunk Employee
‎02-25-2016 02:07 PM

Use the custom condition in your alert :

where count > 1000
0 Karma
Reply

fmpa_isaac
Path Finder
‎02-26-2016 05:48 AM

thank you, that worked on the alert. All I need now is to report the top x while keeping an "Other" count at the bottom.

0 Karma
Reply

fmpa_isaac
Path Finder
‎02-25-2016 12:30 PM

I would also need the top 10 plus a line totaling the OTHER count as well.

0 Karma
Reply

0YAoNnmRmKDg
Path Finder
‎02-25-2016 12:22 PM

Hi,

you could just set the number of results in the alert triggers wizard to 10000 events?

http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Defineper-resultalerts

then just use something like

index = _internal | stats count by source | top limit=5 source

so you would have

my_awesome_search | top limit=10 Src

Cheers

0 Karma
Reply

fmpa_isaac
Path Finder
‎02-25-2016 12:29 PM

Thank you.

But that the problem. When I put the 10k in the alert trigger, it's just like putting it in the search string where it then removed all other records. I would also need the top 5 plus a line totalling the OTHER count as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...