Solved: Separate alert for every (and only) entry which co...

shorokhov · ‎01-17-2022

Hi,

have CLIENT_CONNECT_AUTH_FAIL log entries in Splunk for different usernames.

Would like to send an alert when the count of CLIENT_CONNECT_AUTH_FAIL entries for a specific username exceeds a threshold (say 10 within the last 5 min), an alert should be generated for every user that exceeded a threshold (1 alert per the corresponding username).

Trying to achieve that I've used `| stats count by username` and then put trigger `search count > 10`, but results are not as expected 😞

Consider an example. Stats query produces the following results:

username     count
user1              20
user2              15
user3              5

If I set `Trigger` = `Once` then I get an alert for only user1 despite that count of CLIENT_CONNECT_AUTH_FAIL for `user2` also exceeded threshold.
If I set `Trigger` = `For each result` then I get an alert for every username despite that threshold is not exceeded for `user3`.

What is the right way to do this in Splunk?

shorokhov · ‎01-17-2022

Added `| where count > 10` to the query and set trigger on `Number of Results > 0` `For each result`
This did the magic (:

View solution in original post

shorokhov · ‎01-17-2022

Added `| where count > 10` to the query and set trigger on `Number of Results > 0` `For each result`
This did the magic (:

Separate alert for every (and only) entry which count exceeds threshold

alert condition

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All