Solved: Creating an alert with field value count within a ...

mcg_connor · ‎07-29-2019

I am trying to create an alert for the below search that would go off if within the event there are 10 times where EventCode equals 1 within a 5-minute span. I also want EventCode equals 2 once within that span which is why I am doing the search for EventID equals 1 AND EventID equals 2.

index="myindex" EventCode=1 OR EventCode=2   earliest=-5m
| transaction user   | search EventID=1 AND EventID=2  
| eventstats 
                count(eval(match(EventID,"1"))) as loginFail
                count(eval(match(EventID,"2"))) as loginSuccess
                by user
|table user,loginFail,loginSuccess
|where loginFail >= 10

Currently the results of this search are:

user                          loginFail            loginSuccess
testuser                          1                      1
exampleuser                       1                      1

Even if there are 3 times within the transaction where EventID equals 1 and 1 time where it equals 2.

Thanks for any help!

woodcock · ‎07-29-2019

DO NOT user transaction; try this:

index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0

View solution in original post

woodcock · ‎07-29-2019

DO NOT user transaction; try this:

index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0

mcg_connor · ‎07-29-2019

Awesome thanks for the helpful answer!

Creating an alert with field value count within a transaction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?