Alerting

Splunk Real-Time Alerts

nspatel
Explorer

Hi everyone,

I am having some problem with real time alerting. The following query in splunk will return for me userIDs and the number of times someone has failed their password the last 15 minutes (or so I think)

index=indexname source="/opt/logfilelocation.log" "[Not Authenticated. Invalid credentials]" earliest=-15m latest=now | stats count by userID

I am trying to configure a splunk alert that will send me an email if a user fails their password 10 times or more in 15 mins. I only want 1 alert per user per hour. I thought this would be something easy to do but I seem to be getting a lot problems with this not responding correctly.

Is my search good? Anyone have some recommendations? Thanks!

0 Karma
1 Solution

nspatel
Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

0 Karma

nspatel
Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...