Splunk Search

Setting up custom condition for alert

robK123
Explorer

Hello,

I have the following search:

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | table _time, User_Name, Group_Name, Source_IP | sort User_Name

But when I go to set the alert condition I set the custom condition to:

search User_Name >= 5

But it emails me an alert even though there is not more than 5 user names.

How can I set it so it only does it for more than 5 user names?

Thanks,

Tags (1)
0 Karma

ryhluc01
Communicator

Im pretty new to splunk but it appears like your condition is saying a variation of greater than or equal to.

0 Karma

yannK
Splunk Employee
Splunk Employee

To resume, you are searching over plenty of records, from different users, and you want an alert if they are more than 5 different users ?

what do you want to send on the email ?

for just the alert what about something more simple that just alert , with the alert condition directly in the search

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | stats dc(User_Name) As number_of_users values(User_Name) | where number_of_users=>5

if you still want to send the results, then you have to be smarter.

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID | transaction User_Name | table _time, User_Name, Group_Name, Source_IP

or use a large stat

host="x.x.x.x" OR host="x.x.x.x" Message_Type="Authen failed" PCI | eval Source_IP=Caller_ID
| stats count values(_time), values(Group_Name) values(Source_IP) by User_Name

and the alert condition on number of results > 5

0 Karma

robK123
Explorer

I want to Have an alert for each User_Name that has more than 5 failed logins

0 Karma

jonuwz
Influencer

That search will show multiple lines per User_Name for each failed login.

What do you want to happen ?

Have an alert for each User_Name that has more than 5 failed logins ?
Have an alert if there are more than 5 unique User_Names listed ?
Have an alert if there are more than 5 failed logins

0 Karma

jangid
Builder

is User_Name numeric value? if not use count

0 Karma

robK123
Explorer

No its a not numeric value, do you mean like this:

search count User_Name >= 5

I tried the above and that did not work either.

Thanks

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...