Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

More than 100 “EventID=8306 sourcetype="xyz"” in 15 minutes on an individual host base

mvishal
Explorer
‎07-08-2015 03:22 AM

i want an alert setup in splunk for 100 occurrence of event id 8306 per host for sourcetype "xyz" in 15 minutes..

Can anyone suggest ??

Tags (2)
0 Karma
Reply

sc0tt
Builder
‎07-08-2015 03:39 AM

What about something like sourcetype="xyz" EventID=8306 | stats count by host | where count > 100 then schedule it to run every 15 minutes for the previous 15 minutes, start time = -15m@m finish time = @m?

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...