How to edit my search to alert when the count is g...

fmpa_isaac · ‎02-25-2016

Can someone please help me finish an alert I am trying to do below? I would like to set the alert to notify me once the count reaches 10k and then send me a list of the top 10 SRC_IPs. However, when I put in the search count > 10000, it removed the src_ip entries.

Here is my search string so far.

sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port  | sort - by count | rename src_ip as Src, dest_ip as Dest, dest_port as Port | addcoltotals

dturnbull_splun · ‎02-25-2016

Use the custom condition in your alert :

where count > 1000

fmpa_isaac · ‎02-26-2016

thank you, that worked on the alert. All I need now is to report the top x while keeping an "Other" count at the bottom.

fmpa_isaac · ‎02-25-2016

I would also need the top 10 plus a line totaling the OTHER count as well.

0YAoNnmRmKDg · ‎02-25-2016

Hi,

you could just set the number of results in the alert triggers wizard to 10000 events?

http://docs.splunk.com/Documentation/Splunk/6.3.3/Alert/Defineper-resultalerts

then just use something like

index = _internal | stats count by source | top limit=5 source

so you would have

my_awesome_search | top limit=10 Src

Cheers

fmpa_isaac · ‎02-25-2016

Thank you.

But that the problem. When I put the 10k in the alert trigger, it's just like putting it in the search string where it then removed all other records. I would also need the top 5 plus a line totalling the OTHER count as well.

How to edit my search to alert when the count is greater than 10000 and send me a list of the top 10 SRC_IP?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!