Solved: Alert by Source IP Where Threshold Exceeded

vragosta · ‎03-11-2013

I have the following alert created in Splunk to alert me when the number of firewall drops exceeds 30 within a specified time span:

source="udp:514" error_code=106001 | stats count as NumDrops by src_ip | where NumDrops > 30

When I receive the email for this alert, the attached csv file contains only the src_ip and NumDrops fields. This is understandable, as this is what the search returns. However, I would like to see each individual log that comprises this search in the alert email. How would I go about doing this? Do I need to somehow chain the searches, whereby I find out which src_ip triggers the alert and then perform another search using this src_ip?

Thanks!

martin_mueller · ‎03-11-2013

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

View solution in original post

martin_mueller · ‎03-11-2013

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

vragosta · ‎03-12-2013

Works great! Thanks.

Alert by Source IP Where Threshold Exceeded

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

Alert by Source IP Where Threshold Exceeded

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud