Hello guys, Can anyone please help me to create a DOS/DDOS alert without using any application in splunk.  For example:  if source IPs sending thousands of TCP packets simultaneously within the 15-20 minutes or so.   I can't seem to find any docs that related to this. TIA ... View more

hello guys, Is there any way that I could remove duplicate events that have same timestamp using this below search string:   index=* (EventCode=4624 OR EventCode=4625) | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Account_Name | where Attempts>=5 AND Success>=1 AND Failed>=2 | eval FirstAttempt=strftime(FirstAttempt,"%x %X") | eval LatestAttempt=strftime(LatestAttempt,"%x %X")   The output: Account_Name Attempts Failed Success FirstAttempt LatestAttempt     ... View more

Hey gents,  I am very new to splunk but does anyone have an idea why my search from datamodel=authentication not getting older events (say last month or two)? Below is my search string: | tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=* by _time, Authentication.action span=10m | timechart minspan=10m useother=true count by Authentication.action Any suggestion would be so much appreciated!  Cheers  ... View more