have CLIENT_CONNECT_AUTH_FAIL log entries in Splunk for different usernames.
Would like to send an alert when the count of CLIENT_CONNECT_AUTH_FAIL entries for a specific username exceeds a threshold (say 10 within the last 5 min), an alert should be generated for every user that exceeded a threshold (1 alert per the corresponding username).
Trying to achieve that I've used `| stats count by username` and then put trigger `search count > 10`, but results are not as expected 😞
Consider an example. Stats query produces the following results:
If I set `Trigger` = `Once` then I get an alert for only user1 despite that count of CLIENT_CONNECT_AUTH_FAIL for `user2` also exceeded threshold.
If I set `Trigger` = `For each result` then I get an alert for every username despite that threshold is not exceeded for `user3`.
What is the right way to do this in Splunk?