Splunk Search

Splunk Alert Create alert based on count over past time frame

Pmeiring
Explorer

Hi Splunk Community 

I need some assistance with a Splunk alert, the search result provides exactly what I require but the alert can be improved.

The search query: 
source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation Calling_Station_ID
| where NOT Country="South Africa"
| stats count by Country, User_Name
| eventstats sum(count) as Country_Count by Country
| eventstats sum(count) as Username_Count by User_Name
| where NOT (Username_Count >= 10 AND Country_Count >= 10)

The search returns users and country,  only if the username count is less 10 and the country count is less than 10 in past 30 days, which is exactly what I want. The problem comes in wit h the alert, if I schedule the alert (lets say 10min) the query gets run, it creates alerts for each return value. I only want new events to be returned and not values which =was alerted on 10min ago. 

Is there any way one can achieve this ? 

Thank you so much 

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Throttle the alert on the User_Name and Country fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...