Alerting

Splunk Real-Time Alerts

nspatel
Explorer

Hi everyone,

I am having some problem with real time alerting. The following query in splunk will return for me userIDs and the number of times someone has failed their password the last 15 minutes (or so I think)

index=indexname source="/opt/logfilelocation.log" "[Not Authenticated. Invalid credentials]" earliest=-15m latest=now | stats count by userID

I am trying to configure a splunk alert that will send me an email if a user fails their password 10 times or more in 15 mins. I only want 1 alert per user per hour. I thought this would be something easy to do but I seem to be getting a lot problems with this not responding correctly.

Is my search good? Anyone have some recommendations? Thanks!

0 Karma
1 Solution

nspatel
Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

0 Karma

nspatel
Explorer

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...