Solved: Alert if any IP or source consume high volume of b...

asharma21193 · ‎04-28-2020

I am trying to write a search for juniper firewall logs. Where I want to get alert if any user consume bandwidth more than 500 Mb in last one hour. I have desired logs in my Splunk like bytes_in and bytes_out. Kindly suggest.

index=main sourcetype="juniper:junos:firewall" host="10.10.10.1" | stats sum(bytes_out) AS TotalSent, sum(bytes_in) AS TotalRcvd by src
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| table src TotalMB

dsctm3 · ‎04-29-2020

Schedule the above search to run hourly
Add the following to the end of your search

| where TotalMB >=500

View solution in original post

asharma21193 · ‎05-08-2020

But it is showing bytes calculation for session wise and hence bandwidth value is very low. I want to do this sum calculation based on client ip address.

dsctm3 · ‎04-29-2020

Schedule the above search to run hourly
Add the following to the end of your search

| where TotalMB >=500

Alert if any IP or source consume high volume of bandwidth like more than 500 Mb

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!