i want an alert setup in splunk for 100 occurrence of event id 8306 per host for sourcetype "xyz" in 15 minutes..
Can anyone suggest ??
What about something like sourcetype="xyz" EventID=8306 | stats count by host | where count > 100
then schedule it to run every 15 minutes for the previous 15 minutes, start time = -15m@m
finish time = @m
?