Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to create report/alert with repeating same ip address

gijoesplunk
New Member
‎09-06-2016 09:33 PM

I have a threatid from firewall with IP address information. and want to ask is it possible to create report/alert for the repeating same ip address after 7 days without manually input the ip address?

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎09-07-2016 05:04 AM

You could try something like this and alert if count>0

... earliest=-7d@d | stats count as occurrences by ip | where occurrences>(enter your threshold number here)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2016 05:02 AM

This should get you started.

index=foo threatid=bar | bin span=7d _time | stats count by ipaddress | where count > 1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...