Re: Splunk Alert not behaving as expected

brewster88 · ‎05-20-2019

Morning Guys,

Hope everyone is well, I have setup a custom alert in Splunk that runs once an hour and looks at the past hour of activity.

index=index AND site=******** AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=*******/account/login" AND UserAgent="*iPhone" | bucket span=1m _time | stats count(site) as requests by _time, site, Client_Type,src , UserAgent | where requests > 180

Where I have defined the 180 - is this requests per minute? or where 180 requests has been breached over the past hour of activity?

Guess I just need a little help in understanding exactly what I have setup here 🙂

Tom

DavidHourani · ‎05-20-2019

Hi @brewster88,

This is the requests per minute greater than 180 because the bucket command will split your time into chunks of 1minute. When you aggregate it with stats it stays at 1 minute.

if you want to make it over the entire hour then you can run this search hourly:

index=index AND site= AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=/account/login" AND UserAgent="iPhone"  | stats count(site) as requests by site, Client_Type,src , UserAgent | where requests > 180

Cheers,
David

Splunk Alert not behaving as expected

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Splunk Alert not behaving as expected

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits