Solved: Make a Alert across 2 Fields

coric · ‎03-10-2021

I'm trying to make an Alert trigger when the same source IP is more than 40 times, across more than 40 destination IP within 5 minutes. I'm not so sure how to accomplish this...

gcusello · ‎03-10-2021

Hi @coric,

let me understand: do you want to find when one source IP is connected with more than 40 different destination IPs in 5 minutes or what else?

If this is your need, you should try something like this:

your_search earliest=-5m latest=now
| stats dc(dest_IP) AS dc_dest_IP BY source_IP
| where dc_dest_IP>40

Ciao.

Giuseppe

View solution in original post

gcusello · ‎03-10-2021

Hi @coric,

let me understand: do you want to find when one source IP is connected with more than 40 different destination IPs in 5 minutes or what else?

If this is your need, you should try something like this:

your_search earliest=-5m latest=now
| stats dc(dest_IP) AS dc_dest_IP BY source_IP
| where dc_dest_IP>40

Ciao.

Giuseppe

coric · ‎03-10-2021

Perfect, that should work perfectly, il let you know!

Make a Alert across 2 Fields

alert action

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life