Solved: Splunk Real-Time Alerts

nspatel · ‎12-10-2014

Hi everyone,

I am having some problem with real time alerting. The following query in splunk will return for me userIDs and the number of times someone has failed their password the last 15 minutes (or so I think)

index=indexname source="/opt/logfilelocation.log" "[Not Authenticated. Invalid credentials]" earliest=-15m latest=now | stats count by userID

I am trying to configure a splunk alert that will send me an email if a user fails their password 10 times or more in 15 mins. I only want 1 alert per user per hour. I thought this would be something easy to do but I seem to be getting a lot problems with this not responding correctly.

Is my search good? Anyone have some recommendations? Thanks!

nspatel · ‎12-10-2014

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

View solution in original post

nspatel · ‎12-10-2014

I ended up doing this

I added a where clause
| stats count by userID | where count > 9

Throttle userID for 60 mins

seems to be working on.

Splunk Real-Time Alerts

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases