Morning Guys,
Hope everyone is well, I have setup a custom alert in Splunk that runs once an hour and looks at the past hour of activity.
index=index AND site=******** AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=*******/account/login" AND UserAgent="*iPhone" | bucket span=1m _time | stats count(site) as requests by _time, site, Client_Type,src , UserAgent | where requests > 180
Where I have defined the 180 - is this requests per minute? or where 180 requests has been breached over the past hour of activity?
Guess I just need a little help in understanding exactly what I have setup here 🙂
Tom
Hi @brewster88,
This is the requests per minute greater than 180 because the bucket command will split your time into chunks of 1minute. When you aggregate it with stats it stays at 1 minute.
if you want to make it over the entire hour then you can run this search hourly:
index=index AND site= AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=/account/login" AND UserAgent="iPhone" | stats count(site) as requests by site, Client_Type,src , UserAgent | where requests > 180
Cheers,
David