Splunk Search

How to alert when a field value has > 500 events?

mninansplunk
Path Finder

Hello,

I'm not sure how to achieve this.  I need to create an alert for when a field (user) value has > 500 events for when another field (eventType) is filtered on a specific value.

i.e.  

User: John

EventType: Blocked

I can't figure it out.  Here's what I have so far:

 

|stats count by user, eventType
|eventstats sum(count) as count by eventType
|stats values(eventType) as Blocked, values(user) as user
|table user, Blocked
|where count>500

 

Thanks for any help on this,

Tom

 

 

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Would this do

|stats count by user, eventType
| where eventType == "Blocked" AND count > 500

(Note your code sample says eventType while the text description says EventType.)

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

Would this do

|stats count by user, eventType
| where eventType == "Blocked" AND count > 500

(Note your code sample says eventType while the text description says EventType.)

mninansplunk
Path Finder

Perfect, that did the trick, thank you for the help.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...