Hello,
I have the following search:
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | table _time, User_Name, Group_Name, Source_IP | sort User_Name
But when I go to set the alert condition I set the custom condition to:
search User_Name >= 5
But it emails me an alert even though there is not more than 5 user names.
How can I set it so it only does it for more than 5 user names?
Thanks,
Im pretty new to splunk but it appears like your condition is saying a variation of greater than or equal to.
To resume, you are searching over plenty of records, from different users, and you want an alert if they are more than 5 different users ?
what do you want to send on the email ?
for just the alert what about something more simple that just alert , with the alert condition directly in the search
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | stats dc(User_Name) As number_of_users values(User_Name) | where number_of_users=>5
if you still want to send the results, then you have to be smarter.
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | transaction User_Name | table _time, User_Name, Group_Name, Source_IP
or use a large stat
host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID
| stats count values(_time), values(Group_Name) values(Source_IP) by User_Name
and the alert condition on number of results > 5
I want to Have an alert for each User_Name that has more than 5 failed logins
That search will show multiple lines per User_Name for each failed login.
What do you want to happen ?
Have an alert for each User_Name that has more than 5 failed logins ?
Have an alert if there are more than 5 unique User_Names listed ?
Have an alert if there are more than 5 failed logins
is User_Name numeric value? if not use count
No its a not numeric value, do you mean like this:
search count User_Name >= 5
I tried the above and that did not work either.
Thanks