Splunk Search

statistics greater than 500 count only

cgekoski
Path Finder

I have a search string that is working perfectly but i want to create an email alert that triggers whenever a results exceeds 500. Below is the search string, i tried to create a search string and then create an alert that said to run every hour and count > 500 but it doesnt seem to work. The amount of time doesnt really matter im more focused on the end results of getting alerted whenever something is over 500. The "x.x.x.x" portion was an IP address i removed just for the question but is email servers that we expect such traffic from so i was excluding them from the search.

index=firewalls NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "x.x.x.x" NOT "Deny" NOT "No matching connection" NOT "Teardown" | regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port | sort -count | rename dest_ip AS Source

results show up as statistics

Source Port 110 Port 143 Port 25 Port 993
10.90.100.5 5 600 4 50
10.91.100.56 0 0 500 0
10.91.105. 560 0 0 0

0 Karma

chimell
Motivator

Hi cgekoski
Re try with the search code below note that you must use where command

index=firewalls NOT ("x.x.x.x" OR  "x.x.x.x" OR  "x.x.x.x" OR "x.x.x.x" OR  "Deny" OR "No matching connection" OR "Teardown" )| regex src_port="^25$|^110$|^465$|^995$|^143$|^993$|^2525$" | chart count by dest_ip src_port| where count>500 | sort -count | rename dest_ip AS Source
0 Karma

cgekoski
Path Finder

Unfortunately the where count>500 doesnt seem to work. I have tried to modify >1 and even that breaks the statistics window.

0 Karma

cgekoski
Path Finder

I think the part that is breaking the search string is where i am doing a chart count by 2 fields; dest_ip and src_port. so when i do a "where count>X" im guessing it doesnt know which field to use? The ideal goal is to get a breakdown of IP addresses sending traffic over mail ports (Src_ports).

0 Karma

alaorath
Path Finder

Alternative solutions (assuming you mainly care about the email notification side) is to add the count > 500 in the query and trigger your alert on events > 0...

For example, append | where count > 500 to your above query, and your alert should work as expected (once you change the trigger condition).

0 Karma

cgekoski
Path Finder

whenever i add "where count > any number" the statistics do not show up. I even tried > 1 to see if that works and even that breaks it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...