Splunk Search

statistics greater than 500 count only

cgekoski
Path Finder

I have a search string that is working perfectly but i want to create an email alert that triggers whenever a results exceeds 500. Below is the search string, i tried to create a search string and then create an alert that said to run every hour and count > 500 but it doesnt seem to work. The amount of time doesnt really matter im more focused on the end results of getting alerted whenever something is over 500. The "x.x.x.x" portion was an IP address i removed just for the question but is email servers that we expect such traffic from so i was excluding them from the search.

index=firewalls NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "Deny" NOT "No matching connection" NOT "Teardown" | regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port | sort -count | rename dest_ip AS Source

results show up as statistics

Source Port 110 Port 143 Port 25 Port 993
10.90.100.5 5 600 4 50
10.91.100.56 0 0 500 0
10.91.105. 560 0 0 0

0 Karma

chimell
Motivator

Hi cgekoski
Re try with the search code below note that you must use where command

index=firewalls NOT ("x.x.x.x" OR  "x.x.x.x" OR  "x.x.x.x" OR "x.x.x.x" OR  "Deny" OR "No matching connection" OR "Teardown" )| regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port| where count>500 | sort -count | rename dest_ip AS Source
0 Karma

cgekoski
Path Finder

Unfortunately the where count>500 doesnt seem to work. I have tried to modify >1 and even that breaks the statistics window.

0 Karma

cgekoski
Path Finder

I think the part that is breaking the search string is where i am doing a chart count by 2 fields; dest_ip and src_port. so when i do a "where count>X" im guessing it doesnt know which field to use? The ideal goal is to get a breakdown of IP addresses sending traffic over mail ports (Src_ports).

0 Karma

alaorath
Path Finder

Alternative solutions (assuming you mainly care about the email notification side) is to add the count > 500 in the query and trigger your alert on events > 0...

For example, append | where count > 500 to your above query, and your alert should work as expected (once you change the trigger condition).

0 Karma

cgekoski
Path Finder

whenever i add "where count > any number" the statistics do not show up. I even tried > 1 to see if that works and even that breaks it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...