Getting Data In

Alert by Source IP Where Threshold Exceeded

Path Finder

I have the following alert created in Splunk to alert me when the number of firewall drops exceeds 30 within a specified time span:

source="udp:514" error_code=106001 | stats count as NumDrops by src_ip | where NumDrops > 30

When I receive the email for this alert, the attached csv file contains only the src_ip and NumDrops fields. This is understandable, as this is what the search returns. However, I would like to see each individual log that comprises this search in the alert email. How would I go about doing this? Do I need to somehow chain the searches, whereby I find out which src_ip triggers the alert and then perform another search using this src_ip?

Thanks!

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

View solution in original post

0 Karma

Path Finder

Works great! Thanks.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!