Solved: Alert based on same domain count

balcv · ‎09-18-2019

We have email data reported in Splunk and I want to build an Alert, based on a search, that can trigger if it sees more then 250 events where the same email domain appears in the sender address.

For example, a flood of emails comes from [randomstuff]@uchc.edu among lots of other email traffic over a 30 minute period. I'm wanting the alert to trigger because it sees more than 250 events where the email domain is uchc.edu.

The alert needs to be able to identify the domain based on what is in the traffic and NOT a domain that is coded into the search.

Is this possible and is there any tips on how to create it. I apologize that I do not have any code to submit as I really do not know where to start.

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

View solution in original post

balcv · ‎09-18-2019

I've figured it out. Not so hard when you put your mind to it.

index="*" 
| eval tmp=split(Sender,"@") 
| eval senderDomain=mvindex(tmp,1) 
| chart count by senderDomain 
| addtotals row=true fieldname=totalCount 
| where totalCount >= 150 
| fields - totalCount | sort -count

Alert based on same domain count

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

Alert based on same domain count

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard