Splunk Search
Highlighted

Setting up custom condition for alert

Explorer

Hello,

I have the following search:

host="x.x.x.x" OR host="x.x.x.x" MessageType="Authen failed" PCI | eval SourceIP=CallerID | table _time, UserName, GroupName, SourceIP | sort User_Name

But when I go to set the alert condition I set the custom condition to:

search User_Name >= 5

But it emails me an alert even though there is not more than 5 user names.

How can I set it so it only does it for more than 5 user names?

Thanks,

Tags (1)
0 Karma
Highlighted

Re: Setting up custom condition for alert

Builder

is User_Name numeric value? if not use count

0 Karma
Highlighted

Re: Setting up custom condition for alert

Explorer

No its a not numeric value, do you mean like this:

search count User_Name >= 5

I tried the above and that did not work either.

Thanks

0 Karma
Highlighted

Re: Setting up custom condition for alert

Influencer

That search will show multiple lines per User_Name for each failed login.

What do you want to happen ?

Have an alert for each UserName that has more than 5 failed logins ?
Have an alert if there are more than 5 unique User
Names listed ?
Have an alert if there are more than 5 failed logins

0 Karma
Highlighted

Re: Setting up custom condition for alert

Explorer

I want to Have an alert for each User_Name that has more than 5 failed logins

0 Karma
Highlighted

Re: Setting up custom condition for alert

Splunk Employee
Splunk Employee

To resume, you are searching over plenty of records, from different users, and you want an alert if they are more than 5 different users ?

what do you want to send on the email ?

for just the alert what about something more simple that just alert , with the alert condition directly in the search

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | stats dc(User_Name) As number_of_users values(User_Name) | where number_of_users=>5

if you still want to send the results, then you have to be smarter.

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | transaction User_Name | table _time, User_Name, Group_Name, Source_IP

or use a large stat

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID
| stats count values(_time), values(Group_Name) values(Source_IP) by User_Name

and the alert condition on number of results > 5

0 Karma
Highlighted

Re: Setting up custom condition for alert

Communicator

Im pretty new to splunk but it appears like your condition is saying a variation of greater than or equal to.

0 Karma