Splunk Search

Setting up custom condition for alert



I have the following search:

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | table _time, User_Name, Group_Name, Source_IP | sort User_Name

But when I go to set the alert condition I set the custom condition to:

search User_Name >= 5

But it emails me an alert even though there is not more than 5 user names.

How can I set it so it only does it for more than 5 user names?


Tags (1)
0 Karma


Im pretty new to splunk but it appears like your condition is saying a variation of greater than or equal to.

0 Karma

Splunk Employee
Splunk Employee

To resume, you are searching over plenty of records, from different users, and you want an alert if they are more than 5 different users ?

what do you want to send on the email ?

for just the alert what about something more simple that just alert , with the alert condition directly in the search

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | stats dc(User_Name) As number_of_users values(User_Name) | where number_of_users=>5

if you still want to send the results, then you have to be smarter.

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | transaction User_Name | table _time, User_Name, Group_Name, Source_IP

or use a large stat

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID
| stats count values(_time), values(Group_Name) values(Source_IP) by User_Name

and the alert condition on number of results > 5

0 Karma


I want to Have an alert for each User_Name that has more than 5 failed logins

0 Karma


That search will show multiple lines per User_Name for each failed login.

What do you want to happen ?

Have an alert for each User_Name that has more than 5 failed logins ?
Have an alert if there are more than 5 unique User_Names listed ?
Have an alert if there are more than 5 failed logins

0 Karma


is User_Name numeric value? if not use count

0 Karma


No its a not numeric value, do you mean like this:

search count User_Name >= 5

I tried the above and that did not work either.


0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...