After playing with Splunk, I was able to create a save search that would email us if an IP address has more than 500 failed attempts on our firewalls. The search runs every 60 mins.
Next, I would like to create a weekly summary report. i.e if 22.214.171.124 triggers an alert 3 separate times in the previous week, then the report will show 3. I tried creating a report on the saved search and having it run once a week, but that method displayed how many total fail attempts for the week, not the count. I’m not sure how to create a report on a save search or if I need to write a more complex search query. Thanks for your help.