Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Creating an alert with field value count withi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcg_connor
Path Finder
07-29-2019
11:15 AM
I am trying to create an alert for the below search that would go off if within the event there are 10 times where EventCode equals 1 within a 5-minute span. I also want EventCode equals 2 once within that span which is why I am doing the search for EventID equals 1 AND EventID equals 2.
index="myindex" EventCode=1 OR EventCode=2 earliest=-5m
| transaction user | search EventID=1 AND EventID=2
| eventstats
count(eval(match(EventID,"1"))) as loginFail
count(eval(match(EventID,"2"))) as loginSuccess
by user
|table user,loginFail,loginSuccess
|where loginFail >= 10
Currently the results of this search are:
user loginFail loginSuccess
testuser 1 1
exampleuser 1 1
Even if there are 3 times within the transaction where EventID equals 1 and 1 time where it equals 2.
Thanks for any help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
11:26 AM
DO NOT user transaction; try this:
index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
11:26 AM
DO NOT user transaction; try this:
index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcg_connor
Path Finder
07-29-2019
11:32 AM
Awesome thanks for the helpful answer!
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
