Hello,i would like to search the specific ip attack events within the specific time range for real time,e.g. if the attack events of one IP are more than 5 times, splunk will send an alert. i use host="xxx" eventtype="specific_ip"| timechart span=1m count(SRC_IP) by SRC_IP, it can show the attack times table group by SRC_IP within each 1min time range, now how can i just pick the attack times more than 3 times, that is to say if there exists such one event(>=3), then spluck will send an alert?Thanks
Thanks,Michael, if i use earliest command, the time's span can not be shown in search result table, only (src_ip, count). i wanna show like (_time, src_ip, count) but if i use timechart...| where count>=3, the search result table would not be displayed.