Alerting

Splunk Real-Time Alerts

Explorer

Hi everyone,

I am having some problem with real time alerting. The following query in splunk will return for me userIDs and the number of times someone has failed their password the last 15 minutes (or so I think)

index=indexname source="/opt/logfilelocation.log" "[Not Authenticated. Invalid credentials]" earliest=-15m latest=now | stats count by userID

I am trying to configure a splunk alert that will send me an email if a user fails their password 10 times or more in 15 mins. I only want 1 alert per user per hour. I thought this would be something easy to do but I seem to be getting a lot problems with this not responding correctly.

Is my search good? Anyone have some recommendations? Thanks!

0 Karma
1 Solution

Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

0 Karma

Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

0 Karma