Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search Chain

phillipmadm
Explorer
‎05-09-2017 01:04 PM

Hopefully this is an easy one.
We have an alert setup that notifies us if a specific error occurs more than 30 times in 1 minute. It works and gives us a nice little report of the hit count. Since this report is a mass disconnect alert, it was based on the quantity of termination messages. We now need to notify the users associated with the mass disconnect. Username field is available in the source messages but I'm having an issue chaining the logic together.

Base alert below.
index=security source="application.log" application_message=termination| bucket _time span=1m | stats count by _time | WHERE count > 30

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-09-2017 04:00 PM 
index=security source="application.log" application_message=termination
| bucket _time span=1m 
| stats count as termCount, values(username) as username by _time 
| WHERE termCount > 30

The result will be a multivalue field with each username in it.

If you wanted to break out the field again for individual notification, then use 

| mvexpand username

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎05-09-2017 04:00 PM 
index=security source="application.log" application_message=termination
| bucket _time span=1m 
| stats count as termCount, values(username) as username by _time 
| WHERE termCount > 30

The result will be a multivalue field with each username in it.

If you wanted to break out the field again for individual notification, then use 

| mvexpand username
0 Karma
Reply
Solved! Jump to solution

phillipmadm
Explorer
‎05-10-2017 05:55 AM

Worked like a charm.
Thanks

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...