Alerting

setting up a custom alert

Splunker4Life
Explorer

Hi all,

I am trying to set up a custom alert that triggers when I receive more than 50 emails from any given address in the space of 30 minutes. I am using this to alert for spam. So far i have got the alert working and once triggered it does not alert again for another 2 hours. The issue i have is that after 2 hours Splunk will alert me again saying xyz@blah.com has sent 200 emails. As I am already aware that i have received excess emails from this sender I would like Splunk to not alert on that specific address but keep alerting on anything new that comes up.

Is such a thing possible?

One thought I had is that I run a scheduled search every 30 minutes and only ask it to look at the previous 30 minutes, that way it will pick up anything new. However that means if the hits of spam are spread over the course of an hour for example then i will get multiple alerts for each hit is over 50 which presents the previous issue.

Thanks in advance,

Anu

Tags (3)
0 Karma

MuS
Legend

Hi Splunker4Life,

take this run everywhere example and adapt it to your needs:

index=_internal source=*metrics.log earliest=-30min@min latest=-0min@min NOT [ search index=_internal source=*metrics.log earliest=-60min@min latest=-30min@min | dedup series | table series ] | stats count by series

this example will search for all series in metrics.log for a time range 60 minutes to 30 minutes ago and use this result to compare with the same search but with a time range 30 minutes to 0 minutes ago. The resulting stats will only show new series events for the last 30 minutes.

hope this helps to get you started ...

cheers, MuS

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...