Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only alert if event happens X times, but display all events

Branden
Builder
‎08-06-2012 06:51 AM

I'm having a small dilemma with an alert that a user would like created...

Quite simply, we want to be alerted if a username has 3 or more failed login attempts in a 30 minute period. And if that alert triggers, I want to display ALL failed login attempts for that 30 minute period.

It sounded simple, but this turned out to be harder than I thought.

When I configure the alert to trigger if "Number of events > 3", it will trigger if ANY three users fail. I only want it to trigger if the same user fails (in the past 30 minutes).

Is there a way to do this? I'm running v4.3.3.

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

View solution in original post

Reply
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 08:18 AM

Nevermind, I think I figured out why that procedure didn't work at first. Turns out it was behaving as expected after all. Thanks again, your link was very helpful!

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Answer has been corrected now.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Oops, there was a minor typo in my answer. Perhaps this affected your results?

You need the "search" keyword in the custom condition, so it will restrict the results to only having more than three failures.

0 Karma
Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 07:54 AM

Thank you for your response.
Hmm..... the example you pointed me to is exactly what I need. And I followed the example verbatim, but it's not working as expected. It alerts regardless of how many login failures (even if less than three). And the alert report it provides is uninformative, but I can tweak that on my own.

But because the example you linked me to is exactly what I need, I think something else is weird on my end. I may open up a tech support ticket to get this worked out.

Thank you very much for the tip!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...