Hi Everyone,
I have a splunk search:
Search:
sourcetype = onelogin:event index = onelogin earliest=-12d AND event_type_id=8 | stats count by app_name
The above search will give the counts of people logged-In in every application which is in one login but I need to prepare a search that will see the count of people logged in today and the counts of people logged in before one week, and if the counts of logged in people are less than 50% then it will trigger a alert . PLEASE GUIDE ME
-> I need a search that will take the counts of people logged in today and before one week and calculate the difference and then i can make a alert on the basis of that difference.
... View more
@Vijeta - i can take the index time , but many request are coming , for example one event is started at 9.00 a.m with one subscriber number and another same event start at 9.30 a.m , but the difference is , this time onother event start with different subscriberNumber( it is a number which is provided to person as a kind of validity) . so if i will use timeStamp , will it work ?
Thank you
... View more
In splunk , as one production server many event are occurring everyday so i need a query for splunk to know if any event is taking more than 30 minutes of time, i need a alert for those type of event.
Thank You
... View more