Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help creating alert port 443 for 1 hour by action

splunkcol
Builder
‎10-06-2020 10:36 AM

 

I know that someone may have asked this, but the truth is I did not find anything similar.

I need to create a query for the events that exceed 500 attempts every 1 hour, when this happens an alert is generated.

index=* dest=200.22.22.22 dest_port=443 action=Accept |stats count by action src dest dest_port |where count > 120 |sort -count

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2020 11:03 AM

I presume the given query doesn't work or you wouldn't have posted here, but what is the problem with the query?  

It's not necessary to group the stats by action since there is only one action value in the results.

If you want to know about more than 500 attempts in an hour, why does the query look for 120?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunkcol
Builder
‎10-06-2020 12:22 PM

the query if it works

I will keep in mind your suggestion about grouping

About the number of events I have been confused, just as indifferent to the number the help helps me

I don't know if I'm confused, I've seen queries where I put values ​​like "earliest = -30d" or "bucket _time span = 1s"

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...