I have searched across Splunk Answers, Docs, and the YouTube channel, but I'm still having an issue with setting up a proper alert. I need to setup an Alert so that if failed logins exceeds 4 attempts within 10 minutes, an alert will be triggered. I went into the Search, typed:
index=* sourcetype="WinEventLog:Security" EventCode=4625 | stats count by host, Account_Name, name | where count > 4
The search is then saved as an Alert:
**Title:** <the name>
**Description:** <the description>
**Permissions:** Private
** Alert Type:** Real-time
**Trigger Alert when:** Per-Result
(No Throttling)
The issue is that it pulls results every five seconds. It seems that the system checks the log within my given time frame, notices that there are still logs, so triggers another alert. I then tried switching my search to:
index=* sourcetype="WinEventLog:Security" EventCode=4625 | stats count by host, Account_Name, name
with the following Alert Type:
**Alert Type:** Real-time
**Trigger alert when:** Number of Results **is** greater than 4 *in* 10 minute(s)
**Trigger:** Once
(No Throttle)
However, when I do that, it pulls up nothing. Any help would be appreciated, I've been stuck on this for two days.
... View more