Splunk Alert not behaving as expected

brewster88 · ‎05-20-2019

Morning Guys,

Hope everyone is well, I have setup a custom alert in Splunk that runs once an hour and looks at the past hour of activity.

index=index AND site=******** AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=*******/account/login" AND UserAgent="*iPhone" | bucket span=1m _time | stats count(site) as requests by _time, site, Client_Type,src , UserAgent | where requests > 180

Where I have defined the 180 - is this requests per minute? or where 180 requests has been breached over the past hour of activity?

Guess I just need a little help in understanding exactly what I have setup here 🙂

Tom

DavidHourani · ‎05-20-2019

Hi @brewster88,

This is the requests per minute greater than 180 because the bucket command will split your time into chunks of 1minute. When you aggregate it with stats it stays at 1 minute.

if you want to make it over the entire hour then you can run this search hourly:

index=index AND site= AND act=REQ_CHALLENGE_CAPTCHA AND action=blocked AND url=/account/login" AND UserAgent="iPhone"  | stats count(site) as requests by site, Client_Type,src , UserAgent | where requests > 180

Cheers,
David

Splunk Alert not behaving as expected

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!