Hi all,
I am trying to set up a custom alert that triggers when I receive more than 50 emails from any given address in the space of 30 minutes. I am using this to alert for spam. So far i have got the alert working and once triggered it does not alert again for another 2 hours. The issue i have is that after 2 hours Splunk will alert me again saying xyz@blah.com has sent 200 emails. As I am already aware that i have received excess emails from this sender I would like Splunk to not alert on that specific address but keep alerting on anything new that comes up.
Is such a thing possible?
One thought I had is that I run a scheduled search every 30 minutes and only ask it to look at the previous 30 minutes, that way it will pick up anything new. However that means if the hits of spam are spread over the course of an hour for example then i will get multiple alerts for each hit is over 50 which presents the previous issue.
Thanks in advance,
Anu
... View more