Splunk Search

Alert when a threshold is met consistently at certain intervals within a time frame

tpowell12
Explorer

I'm having trouble building an alert. I want to get alerted, if during a 4 hour window, an IP has more than 5 blocks at our proxy every 5 minutes for the entire 4 hours. At any point within the 4 hour frame, if the hit count drops below 5 in 5 minutes, I don't want to be alerted.

The search belows gives me the hit count by IP in 5 minute blocks but I'm not sure how to get alerted if a unique IP constantly has 5 hits every 5 minutes throughout the 4 hours.

host="proxy1" status="blocked" | timechart span=5m count by IP

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try this:

host="proxy1" status="blocked" | timechart span=5m count by IP | untable _time IP count | stats min(count) as min_count by IP | where min_count >= 5

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Try this:

host="proxy1" status="blocked" | timechart span=5m count by IP | untable _time IP count | stats min(count) as min_count by IP | where min_count >= 5
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...