- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Setting up custom condition for alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up custom condition for alert
Hello,
I have the following search:
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | table _time, User_Name, Group_Name, Source_IP | sort User_Name
But when I go to set the alert condition I set the custom condition to:
search User_Name >= 5
But it emails me an alert even though there is not more than 5 user names.
How can I set it so it only does it for more than 5 user names?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im pretty new to splunk but it appears like your condition is saying a variation of greater than or equal to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To resume, you are searching over plenty of records, from different users, and you want an alert if they are more than 5 different users ?
what do you want to send on the email ?
for just the alert what about something more simple that just alert , with the alert condition directly in the search
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | stats dc(User_Name) As number_of_users values(User_Name) | where number_of_users=>5
if you still want to send the results, then you have to be smarter.
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | transaction User_Name | table _time, User_Name, Group_Name, Source_IP
or use a large stat
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID
| stats count values(_time), values(Group_Name) values(Source_IP) by User_Name
and the alert condition on number of results > 5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to Have an alert for each User_Name that has more than 5 failed logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That search will show multiple lines per User_Name for each failed login.
What do you want to happen ?
Have an alert for each User_Name that has more than 5 failed logins ?
Have an alert if there are more than 5 unique User_Names listed ?
Have an alert if there are more than 5 failed logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is User_Name numeric value? if not use count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No its a not numeric value, do you mean like this:
search count User_Name >= 5
I tried the above and that did not work either.
Thanks
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
