Splunk Enterprise Security

Alert if any IP or source consume high volume of bandwidth like more than 500 Mb

asharma21193
New Member

I am trying to write a search for juniper firewall logs. Where I want to get alert if any user consume bandwidth more than 500 Mb in last one hour. I have desired logs in my Splunk like bytes_in and bytes_out. Kindly suggest.

index=main sourcetype="juniper:junos:firewall" host="10.10.10.1" | stats sum(bytes_out) AS TotalSent, sum(bytes_in) AS TotalRcvd by src
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| table src TotalMB

Labels (1)
0 Karma
1 Solution

dsctm3
Path Finder
  1. Schedule the above search to run hourly
  2. Add the following to the end of your search

    | where TotalMB >=500

View solution in original post

asharma21193
New Member

But it is showing bytes calculation for session wise and hence bandwidth value is very low. I want to do this sum calculation based on client ip address.

0 Karma

dsctm3
Path Finder
  1. Schedule the above search to run hourly
  2. Add the following to the end of your search

    | where TotalMB >=500

Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...