Hello,i would like to search the specific ip attack events within the specific time range for real time,e.g. if the attack events of one IP are more than 5 times, splunk will send an alert. i use host="xxx" eventtype="specific_ip"| timechart span=1m count(SRC_IP) by SRC_IP, it can show the attack times table group by SRC_IP within each 1min time range, now how can i just pick the attack times more than 3 times, that is to say if there exists such one event(>=3), then spluck will send an alert?Thanks
instead of using "timechart" you might consider this..
host="xxx" eventtype="specific_ip" earliest=-1m@m| stats count by src_ip | where count >=3
This search says... in the last minute (on the minute) summarize the count events by src_ip, where any cell in the "count" column stats table is greater than or equal to three.
you also might schedule this search to run every minute. 3 failed logins is a rather simplistic search. You might consider looking at a successful login after three failed logins.
Thanks,Michael, if i use earliest command, the time's span can not be shown in search result table, only (src_ip, count). i wanna show like (_time, src_ip, count) but if i use timechart...| where count>=3, the search result table would not be displayed.