Splunk Search

How to search multiple lines and create an alert when certain values match?

junster
Explorer

Hi, 

I am a beginner here in Splunk. I am trying to search multiple lines in the log and generate an alert if certain values match. 

For example, in the log below, I wanted to compare the IP address (10.0.46.173) when the Error Code is "ERROR_CREDENTIAL". If the IP addresses are the same, then an alert will be created.

 

2022-12-13 19:05:48.247 ERROR:ip-10-0-46-173.ap-northeast-1.compute.internal,10.0.46.173,19:05:48,ERROR_CREDENTIAL,sfsdf

2022-12-13 19:06:00.580 ERROR:ip-10-0-46-173.ap-northeast-1.compute.internal,10.0.46.173,19:06:00,ERROR_CREDENTIAL,kjsadasd

2022-12-13 19:06:17.537 ERROR:ip-10-0-46-173.ap-northeast-1.compute.internal,10.0.46.173,19:06:17,ERROR_CREDENTIAL,opuio

 

I wonder if anyone could help and guide me with right document.

 

Thanks,

Junster

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could search for events with "ERROR_CREDENTIAL" in, then extract the ip address from the event and count by ip address

| search ERROR_CREDENTIAL
| rex "ip-(?<ip>\d+\-\d+\-\d+\-\d+)\."
| stats count by ip
| where count > 1

View solution in original post

junster
Explorer

Thank you, ITWhisper. It worked. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could search for events with "ERROR_CREDENTIAL" in, then extract the ip address from the event and count by ip address

| search ERROR_CREDENTIAL
| rex "ip-(?<ip>\d+\-\d+\-\d+\-\d+)\."
| stats count by ip
| where count > 1
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...