Re: Splunk Alert Create alert based on count over ...

Pmeiring · ‎10-29-2020

Hi Splunk Community

I need some assistance with a Splunk alert, the search result provides exactly what I require but the alert can be improved.

The search query:
source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation Calling_Station_ID
| where NOT Country="South Africa"
| stats count by Country, User_Name
| eventstats sum(count) as Country_Count by Country
| eventstats sum(count) as Username_Count by User_Name
| where NOT (Username_Count >= 10 AND Country_Count >= 10)

The search returns users and country, only if the username count is less 10 and the country count is less than 10 in past 30 days, which is exactly what I want. The problem comes in wit h the alert, if I schedule the alert (lets say 10min) the query gets run, it creates alerts for each return value. I only want new events to be returned and not values which =was alerted on 10min ago.

Is there any way one can achieve this ?

Thank you so much

richgalloway · ‎10-29-2020

Throttle the alert on the User_Name and Country fields.

---
If this reply helps you, Karma would be appreciated.

Splunk Alert Create alert based on count over past time frame

eval

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation