Email Alerts

luckymaddy · ‎04-28-2015

Hi,

I want to set an “Email alert when User failed login 5 times in last 10 minutes.
Please help me.

Thanks in Advance

mdessus_splunk · ‎04-28-2015

Edit the "Excessive failed login" default correlation search, change the count in the search, and edit the time parameters (Start time, End time, Cron Schedule) to run it each 10 minutes as said before.

stephane_cyrill · ‎04-28-2015

HI luckymaddy,

1-write your request that gives you the failed login as you want. it depends on your data.it may be something like:

source=security_log_file failed login earliest=10| timechart count by user|where count> 5

2-execute it in search and click SAVE AS ALERT.

3-on the first window put the title and chose what you want.....

4- on the 2nd window click SEND E-MAIL and fill the required informations. you can even customize the message to send by including a token value.

5-click save.

see all the details here:

docs.splunk.com/Documentation/Splunk/6.2.2/Alert/Alertexamples

juvetm · ‎04-28-2015

can you try something like this

* 10 /* * * *

Email Alerts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

Email Alerts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...