Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Creating an alert with field value count withi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcg_connor
Path Finder
07-29-2019
11:15 AM
I am trying to create an alert for the below search that would go off if within the event there are 10 times where EventCode equals 1 within a 5-minute span. I also want EventCode equals 2 once within that span which is why I am doing the search for EventID equals 1 AND EventID equals 2.
index="myindex" EventCode=1 OR EventCode=2 earliest=-5m
| transaction user | search EventID=1 AND EventID=2
| eventstats
count(eval(match(EventID,"1"))) as loginFail
count(eval(match(EventID,"2"))) as loginSuccess
by user
|table user,loginFail,loginSuccess
|where loginFail >= 10
Currently the results of this search are:
user loginFail loginSuccess
testuser 1 1
exampleuser 1 1
Even if there are 3 times within the transaction where EventID equals 1 and 1 time where it equals 2.
Thanks for any help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
11:26 AM
DO NOT user transaction; try this:
index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-29-2019
11:26 AM
DO NOT user transaction; try this:
index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mcg_connor
Path Finder
07-29-2019
11:32 AM
Awesome thanks for the helpful answer!
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
