Archive
Highlighted

statistics greater than 500 count only

Path Finder

I have a search string that is working perfectly but i want to create an email alert that triggers whenever a results exceeds 500. Below is the search string, i tried to create a search string and then create an alert that said to run every hour and count > 500 but it doesnt seem to work. The amount of time doesnt really matter im more focused on the end results of getting alerted whenever something is over 500. The "x.x.x.x" portion was an IP address i removed just for the question but is email servers that we expect such traffic from so i was excluding them from the search.

index=firewalls NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "Deny" NOT "No matching connection" NOT "Teardown" | regex srcport="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by destip srcport | sort -count | rename destip AS Source

results show up as statistics

Source Port 110 Port 143 Port 25 Port 993
10.90.100.5 5 600 4 50
10.91.100.56 0 0 500 0
10.91.105. 560 0 0 0

0 Karma
Highlighted

Re: statistics greater than 500 count only

Path Finder

Alternative solutions (assuming you mainly care about the email notification side) is to add the count > 500 in the query and trigger your alert on events > 0...

For example, append | where count > 500 to your above query, and your alert should work as expected (once you change the trigger condition).

0 Karma
Highlighted

Re: statistics greater than 500 count only

Path Finder

whenever i add "where count > any number" the statistics do not show up. I even tried > 1 to see if that works and even that breaks it.

0 Karma
Highlighted

Re: statistics greater than 500 count only

Motivator

Hi cgekoski
Re try with the search code below note that you must use where command

index=firewalls NOT ("x.x.x.x" OR  "x.x.x.x" OR  "x.x.x.x" OR "x.x.x.x" OR  "Deny" OR "No matching connection" OR "Teardown" )| regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port| where count>500 | sort -count | rename dest_ip AS Source
0 Karma
Highlighted

Re: statistics greater than 500 count only

Path Finder

Unfortunately the where count>500 doesnt seem to work. I have tried to modify >1 and even that breaks the statistics window.

0 Karma
Highlighted

Re: statistics greater than 500 count only

Path Finder

I think the part that is breaking the search string is where i am doing a chart count by 2 fields; destip and srcport. so when i do a "where count>X" im guessing it doesnt know which field to use? The ideal goal is to get a breakdown of IP addresses sending traffic over mail ports (Src_ports).

0 Karma