Splunk Search

How to alert when a field value has > 500 events?

mninansplunk
Path Finder

Hello,

I'm not sure how to achieve this.  I need to create an alert for when a field (user) value has > 500 events for when another field (eventType) is filtered on a specific value.

i.e.  

User: John

EventType: Blocked

I can't figure it out.  Here's what I have so far:

 

|stats count by user, eventType
|eventstats sum(count) as count by eventType
|stats values(eventType) as Blocked, values(user) as user
|table user, Blocked
|where count>500

 

Thanks for any help on this,

Tom

 

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Would this do

|stats count by user, eventType
| where eventType == "Blocked" AND count > 500

(Note your code sample says eventType while the text description says EventType.)

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Would this do

|stats count by user, eventType
| where eventType == "Blocked" AND count > 500

(Note your code sample says eventType while the text description says EventType.)

mninansplunk
Path Finder

Perfect, that did the trick, thank you for the help.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...