Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only alert if event happens X times, but display all events

Branden
Builder
‎08-06-2012 06:51 AM

I'm having a small dilemma with an alert that a user would like created...

Quite simply, we want to be alerted if a username has 3 or more failed login attempts in a 30 minute period. And if that alert triggers, I want to display ALL failed login attempts for that 30 minute period.

It sounded simple, but this turned out to be harder than I thought.

When I configure the alert to trigger if "Number of events > 3", it will trigger if ANY three users fail. I only want it to trigger if the same user fails (in the past 30 minutes).

Is there a way to do this? I'm running v4.3.3.

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

View solution in original post

Reply
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 08:18 AM

Nevermind, I think I figured out why that procedure didn't work at first. Turns out it was behaving as expected after all. Thanks again, your link was very helpful!

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Answer has been corrected now.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Oops, there was a minor typo in my answer. Perhaps this affected your results?

You need the "search" keyword in the custom condition, so it will restrict the results to only having more than three failures.

0 Karma
Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 07:54 AM

Thank you for your response.
Hmm..... the example you pointed me to is exactly what I need. And I followed the example verbatim, but it's not working as expected. It alerts regardless of how many login failures (even if less than three). And the alert report it provides is uninformative, but I can tweak that on my own.

But because the example you linked me to is exactly what I need, I think something else is weird on my end. I may open up a tech support ticket to get this worked out.

Thank you very much for the tip!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...