Splunk Enterprise Security

Alert if any IP or source consume high volume of bandwidth like more than 500 Mb

asharma21193
New Member

I am trying to write a search for juniper firewall logs. Where I want to get alert if any user consume bandwidth more than 500 Mb in last one hour. I have desired logs in my Splunk like bytes_in and bytes_out. Kindly suggest.

index=main sourcetype="juniper:junos:firewall" host="10.10.10.1" | stats sum(bytes_out) AS TotalSent, sum(bytes_in) AS TotalRcvd by src
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| table src TotalMB

Labels (1)
0 Karma
1 Solution

dsctm3
Path Finder
  1. Schedule the above search to run hourly
  2. Add the following to the end of your search

    | where TotalMB >=500

View solution in original post

asharma21193
New Member

But it is showing bytes calculation for session wise and hence bandwidth value is very low. I want to do this sum calculation based on client ip address.

0 Karma

dsctm3
Path Finder
  1. Schedule the above search to run hourly
  2. Add the following to the end of your search

    | where TotalMB >=500

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!