Solved: Splunk Real-Time Alerts

nspatel · ‎12-10-2014

Hi everyone,

I am having some problem with real time alerting. The following query in splunk will return for me userIDs and the number of times someone has failed their password the last 15 minutes (or so I think)

index=indexname source="/opt/logfilelocation.log" "[Not Authenticated. Invalid credentials]" earliest=-15m latest=now | stats count by userID

I am trying to configure a splunk alert that will send me an email if a user fails their password 10 times or more in 15 mins. I only want 1 alert per user per hour. I thought this would be something easy to do but I seem to be getting a lot problems with this not responding correctly.

Is my search good? Anyone have some recommendations? Thanks!

nspatel · ‎12-10-2014

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

nspatel · ‎12-10-2014

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

Splunk Real-Time Alerts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Join the Conversation