Alerting

Separate alert for every (and only) entry which count exceeds threshold

shorokhov
Engager

Hi,

have CLIENT_CONNECT_AUTH_FAIL log entries in Splunk for different usernames.

Would like to send an alert when the count of CLIENT_CONNECT_AUTH_FAIL entries for a specific username exceeds a threshold (say 10 within the last 5 min), an alert should be generated for every user that exceeded a threshold (1 alert per the corresponding username).

Trying to achieve that I've used `| stats count by username` and then put trigger `search count > 10`, but results are not as expected 😞

Consider an example. Stats query produces the following results:

username     count
user1              20
user2              15
user3              5

If I set `Trigger` = `Once` then I get an alert for only user1 despite that count of CLIENT_CONNECT_AUTH_FAIL for `user2` also exceeded threshold.
If I set `Trigger` = `For each result` then I get an alert for every username despite that threshold is not exceeded for `user3`.

What is the right way to do this in Splunk?

Labels (1)
0 Karma
1 Solution

shorokhov
Engager

Added `| where count > 10` to the query and set trigger on `Number of Results > 0` `For each result`
This did the magic (:

View solution in original post

0 Karma

shorokhov
Engager

Added `| where count > 10` to the query and set trigger on `Number of Results > 0` `For each result`
This did the magic (:

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...