how to create report/alert with repeating same ip address

New Member

I have a threatid from firewall with IP address information. and want to ask is it possible to create report/alert for the repeating same ip address after 7 days without manually input the ip address?

Tags (1)
0 Karma


You could try something like this and alert if count>0

... earliest=-7d@d | stats count as occurrences by ip | where occurrences>(enter your threshold number here)
0 Karma


This should get you started.

index=foo threatid=bar | bin span=7d _time | stats count by ipaddress | where count > 1
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...