Archive

statistics greater than 500 count only

Path Finder

I have a search string that is working perfectly but i want to create an email alert that triggers whenever a results exceeds 500. Below is the search string, i tried to create a search string and then create an alert that said to run every hour and count > 500 but it doesnt seem to work. The amount of time doesnt really matter im more focused on the end results of getting alerted whenever something is over 500. The "x.x.x.x" portion was an IP address i removed just for the question but is email servers that we expect such traffic from so i was excluding them from the search.

index=firewalls NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "Deny" NOT "No matching connection" NOT "Teardown" | regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port | sort -count | rename dest_ip AS Source

results show up as statistics

Source Port 110 Port 143 Port 25 Port 993
10.90.100.5 5 600 4 50
10.91.100.56 0 0 500 0
10.91.105. 560 0 0 0

0 Karma

Motivator

Hi cgekoski
Re try with the search code below note that you must use where command

index=firewalls NOT ("x.x.x.x" OR  "x.x.x.x" OR  "x.x.x.x" OR "x.x.x.x" OR  "Deny" OR "No matching connection" OR "Teardown" )| regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port| where count>500 | sort -count | rename dest_ip AS Source
0 Karma

Path Finder

Unfortunately the where count>500 doesnt seem to work. I have tried to modify >1 and even that breaks the statistics window.

0 Karma

Path Finder

I think the part that is breaking the search string is where i am doing a chart count by 2 fields; dest_ip and src_port. so when i do a "where count>X" im guessing it doesnt know which field to use? The ideal goal is to get a breakdown of IP addresses sending traffic over mail ports (Src_ports).

0 Karma

Path Finder

Alternative solutions (assuming you mainly care about the email notification side) is to add the count > 500 in the query and trigger your alert on events > 0...

For example, append | where count > 500 to your above query, and your alert should work as expected (once you change the trigger condition).

0 Karma

Path Finder

whenever i add "where count > any number" the statistics do not show up. I even tried > 1 to see if that works and even that breaks it.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!