Solved: Re: Alert if any IP or source consume high volume ...

asharma21193 · ‎04-28-2020

I am trying to write a search for juniper firewall logs. Where I want to get alert if any user consume bandwidth more than 500 Mb in last one hour. I have desired logs in my Splunk like bytes_in and bytes_out. Kindly suggest.

index=main sourcetype="juniper:junos:firewall" host="10.10.10.1" | stats sum(bytes_out) AS TotalSent, sum(bytes_in) AS TotalRcvd by src
| eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2)
| table src TotalMB

dsctm3 · ‎04-29-2020

Schedule the above search to run hourly
Add the following to the end of your search

| where TotalMB >=500

View solution in original post

asharma21193 · ‎05-08-2020

But it is showing bytes calculation for session wise and hence bandwidth value is very low. I want to do this sum calculation based on client ip address.

dsctm3 · ‎04-29-2020

Schedule the above search to run hourly
Add the following to the end of your search

| where TotalMB >=500

Alert if any IP or source consume high volume of bandwidth like more than 500 Mb

other

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann