Splunk Search

Alert on user with different src address

RicoSuave
Builder

Hello,
I'm trying to setup an alert that fires when a user tries to log in from more than one src ip address within the last 24 hours.

My base search looks like index=myindex product=myvpnappliance

Src ip's and user fields are extracted automatically.

I've tried different searches to no effect. Can anybody please help?

Tags (2)
0 Karma
1 Solution

RicoSuave
Builder

Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.

View solution in original post

0 Karma

RicoSuave
Builder

Both appear to work, i still need to figure out how to setup an alert to fire when the source ip count for any user is greater than 1.

0 Karma

ziegfried
Influencer

Choose if number of events is greater than 0 since you're already evaluating the condition in the search string.

0 Karma

RicoSuave
Builder

I understand the search and it does work, i also understand how to create alerts, since i have created them before. However, when i choose to create the alert, i only get three conditions: if number of events, hosts, source, and a custom condition. For now i'm just going to send an alert if that search returns any results, but ideally i would like an alert to fire as soon as a user is trying to connect from more than one unique src ip within a specified timeframe. I know this will require the search to run in real time and probably the use of a custom condition.

0 Karma

MarioM
Motivator

i am not sure what you mean but you just need click to create alert below this search.
And Ziegfried search is the one to use as it is more efficient

0 Karma

ziegfried
Influencer

this might be more efficient:

index=myindex product=myvpnappliance | stats dc(src_ip) as src_ip_count by username | where src_ip_count>1

MarioM
Motivator

what about?

index=myindex product=myvpnappliance | transaction username maxspan=24h | where mvcount(src_ip) > 1 | table username src_ip

southeringtonp
Motivator

While this should work, using transaction is a pretty inefficient approach for this particular case. Much better to use stats as ziegfried suggests.

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...