Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert on user with different src address

RicoSuave
Builder
‎06-15-2011 10:33 AM

Hello,
I'm trying to setup an alert that fires when a user tries to log in from more than one src ip address within the last 24 hours.

My base search looks like index=myindex product=myvpnappliance

Src ip's and user fields are extracted automatically.

I've tried different searches to no effect. Can anybody please help?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

RicoSuave
Builder
‎06-16-2011 05:13 AM

Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

RicoSuave
Builder
‎06-16-2011 05:13 AM

Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎06-16-2011 06:30 AM

Choose if number of events is greater than 0 since you're already evaluating the condition in the search string.

0 Karma
Reply
Solved! Jump to solution

RicoSuave
Builder
‎06-16-2011 06:28 AM

I understand the search and it does work, i also understand how to create alerts, since i have created them before. However, when i choose to create the alert, i only get three conditions: if number of events, hosts, source, and a custom condition. For now i'm just going to send an alert if that search returns any results, but ideally i would like an alert to fire as soon as a user is trying to connect from more than one unique src ip within a specified timeframe. I know this will require the search to run in real time and probably the use of a custom condition.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎06-16-2011 05:25 AM

i am not sure what you mean but you just need click to create alert below this search.
And Ziegfried search is the one to use as it is more efficient

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎06-15-2011 10:46 AM

this might be more efficient:

index=myindex product=myvpnappliance | stats dc(src_ip) as src_ip_count by username | where src_ip_count>1
Reply
Solved! Jump to solution

MarioM
Motivator
‎06-15-2011 10:38 AM

what about?

index=myindex product=myvpnappliance | transaction username maxspan=24h | where mvcount(src_ip) > 1 | table username src_ip
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎06-15-2011 04:21 PM

While this should work, using transaction is a pretty inefficient approach for this particular case. Much better to use stats as ziegfried suggests.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...