In short we have a particular search that we want to run during a specific period, and we want that search to stop after that specific period.
We are trying to introduce some automation into our Splunk searches at the moment and one of the searches we are looking to automate forms part of our call out process. We get called out for a specific event where we then have to run a few searches and set the time frame manually.
The event that we get called out for is triggered once the LoginLimit > 30 which we can view on a line graph. We know the event has ended because the LoginLimit falls back below 30.
What we are trying to achieve is to somehow automate the searches when the LoginLimit > 30 and stop the search once the LoginLimit < 30 again. Then output the results.
Hopefully I've articulated this as clearly as possible, but if not I'll do my best to clear things up
Could you please tell us bit more about what else does that search do apart from looking for LoginLimit > 30? Also, once the said duration is over, would you like to see the output in the form of an email or in a dashboard etc?
The reason behind asking these questions is to better understand the requirement. If you'd like to see the output of the search after the duration is over in an email, then just scheduling the search with a targeted time range and cron can help you to run it automatically and the results of each iteration can be put into a static lookup. Then another search can be scheduled and configured after the event is over, which will basically pull the results of the lookup and send it to you over email.
If the requirement is to do something else, then a solution for that can be designed accordingly.
So it's to do with our credential stuffing process. The Splunk search should capture the login attempts during an attack, which can last from 2 minutes to 10 minutes. Originally we had as a time based search, but the metrics kept getting skewed because of how long some of the attacks were taking.
We would ideally like to see output in the form of an email, but we have this process already in place