Re: Splunk Alert not behaving as expected

brewster88 · ‎05-20-2019

Morning Guys,

Hope everyone is well, I have setup a custom alert in Splunk that runs once an hour and looks at the past hour of activity.

index=index AND site=******** AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=*******/account/login" AND UserAgent="*iPhone" | bucket span=1m _time | stats count(site) as requests by _time, site, Client_Type,src , UserAgent | where requests > 180

Where I have defined the 180 - is this requests per minute? or where 180 requests has been breached over the past hour of activity?

Guess I just need a little help in understanding exactly what I have setup here 🙂

Tom

DavidHourani · ‎05-20-2019

Hi @brewster88,

This is the requests per minute greater than 180 because the bucket command will split your time into chunks of 1minute. When you aggregate it with stats it stays at 1 minute.

if you want to make it over the entire hour then you can run this search hourly:

index=index AND site= AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=/account/login" AND UserAgent="iPhone"  | stats count(site) as requests by site, Client_Type,src , UserAgent | where requests > 180

Cheers,
David

Splunk Alert not behaving as expected

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation