All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to trigger alerts on the count of the value of a custom field?

olawalePS
Path Finder
‎11-08-2022 12:51 AM

I am trying to create an alert for multiple failed logins but my query doesn't seem to work.

The alert is detailed in the image attached, and the query is:

index="authenticate" eventType="user.session.start" outcome.result="FAILURE"
| stats count by actor.alternateId

Please help correct the query.

Labels (1)
Labels
Preview file
63 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 12:57 AM

Hi @olawalePS,

insert the condition in the search:

index="authenticate" eventType="user.session.start" outcome.result="FAILURE"
| stats count by actor.alternateId
| where count>3

and trigger the alert when results>0

then I don't like to have dots in a field so I prefer:

index="authenticate" eventType="user.session.start" outcome.result="FAILURE"
| rename actor.alternateId AS alternateId
| stats count by alternateId
| where count>3

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-08-2022 12:57 AM

Hi @olawalePS,

insert the condition in the search:

index="authenticate" eventType="user.session.start" outcome.result="FAILURE"
| stats count by actor.alternateId
| where count>3

and trigger the alert when results>0

then I don't like to have dots in a field so I prefer:

index="authenticate" eventType="user.session.start" outcome.result="FAILURE"
| rename actor.alternateId AS alternateId
| stats count by alternateId
| where count>3

Ciao.

Giuseppe

Reply
Solved! Jump to solution

olawalePS
Path Finder
‎11-09-2022 03:16 AM

I modified the search but it still did not trigger an alert. is the cron job schedule configured correctly?

I attached the screenshot of the config

Preview file
49 KB
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-09-2022 03:43 AM

Hi @olawalePS,

your search is schedule to run one time a week (Monday at 6:00) on the last 10 minutes, is it correct?

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

olawalePS
Path Finder
‎11-09-2022 04:19 AM

@gcusello No, I want it to run every 10 minutes.

0 Karma
Reply
Solved! Jump to solution

olawalePS
Path Finder
‎11-09-2022 04:34 AM

@gcusello I have corrected the cron expression. Thanks for helping to point it out

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...