- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: statistics greater than 500 count only
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
statistics greater than 500 count only
I have a search string that is working perfectly but i want to create an email alert that triggers whenever a results exceeds 500. Below is the search string, i tried to create a search string and then create an alert that said to run every hour and count > 500 but it doesnt seem to work. The amount of time doesnt really matter im more focused on the end results of getting alerted whenever something is over 500. The "x.x.x.x" portion was an IP address i removed just for the question but is email servers that we expect such traffic from so i was excluding them from the search.
index=firewalls NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "Deny" NOT "No matching connection" NOT "Teardown" | regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port | sort -count | rename dest_ip AS Source
results show up as statistics
Source Port 110 Port 143 Port 25 Port 993
10.90.100.5 5 600 4 50
10.91.100.56 0 0 500 0
10.91.105. 560 0 0 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cgekoski
Re try with the search code below note that you must use where command
index=firewalls NOT ("x.x.x.x" OR "x.x.x.x" OR "x.x.x.x" OR "x.x.x.x" OR "Deny" OR "No matching connection" OR "Teardown" )| regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port| where count>500 | sort -count | rename dest_ip AS Source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately the where count>500 doesnt seem to work. I have tried to modify >1 and even that breaks the statistics window.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the part that is breaking the search string is where i am doing a chart count by 2 fields; dest_ip and src_port. so when i do a "where count>X" im guessing it doesnt know which field to use? The ideal goal is to get a breakdown of IP addresses sending traffic over mail ports (Src_ports).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternative solutions (assuming you mainly care about the email notification side) is to add the count > 500 in the query and trigger your alert on events > 0...
For example, append | where count > 500 to your above query, and your alert should work as expected (once you change the trigger condition).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whenever i add "where count > any number" the statistics do not show up. I even tried > 1 to see if that works and even that breaks it.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
