Help creating an alert based on number of events per field

Path Finder

We're looking to create an alert based on the number of failures based on a certain field (clientIP) per certain time frame.

here is the search so far:

sourcetype="access_combined" POST 401 "/cas/login" | stats count by clientip

Basically, we only want to be alerted when the number of events from any unique clientIP hits 10 per minute. 

We have the alert to trigger if the number of results is greater than 9.

Labels (2)
0 Karma


If your search period is one minute, try this

sourcetype="access_combined" POST 401 "/cas/login"
| stats count by clientip
| where count > 9

Or if it is larger and you want to check the count in 1 minute buckets, try this

sourcetype="access_combined" POST 401 "/cas/login"
| timechart span=1m count by clientip
| untable _time clientip count
| where count > 9



Not sure if I understand it correctly, but if you are trying to trigger an alert if the no.of events is equal to 10, you can append the same condition in the query and in the alert conditions, trigger the alert only if you get any results.

sourcetype="access_combined" POST 401 "/cas/login"
| stats count by clientip
| search clientip=10


Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...