Alerting

when action is permitted traffic .I want to get an alert when event count greater than 200 events within 1 hr from the same source IP.

ravisplunksap
New Member
index=*network   sourcetype=switches
| rex "(?i)^(?:[^\\-]*\\-){7}\\w+\\s+(?P[^ ]+)"
| rex "(?i) permitted (?P[^ ]+)"
| rex "(?i) tcp (?P[^\\(]+)" 
| rex "(?i)^[^>]*>\\s+(?P[^\\(]+)" 
| transaction source_ip maxspan=1h
| search eventcount>200 
| top  source_ip  
| table source_ip, count 
| sort -count

Is this above search is correct?

Please advice me what are necessary changes are required

0 Karma

lguinn2
Legend

First, your rex commands were completely screwed up by the cut-and-paste into the question. Please edit the question and tidy those up if you can. But even without that, I can see some problems in your search. Let me assume that the source_ip is really the only important field for your alert.

The last three commands in your search just mess things up: the lines for top, table and sort need to go. No matter what else you do, these are not helping. My next suggestion is that you should avoid using the transaction command. It costs a lot of overhead.

There are several ways to get the alert that you want. While you could use a real-time alert, I suggest that you use a scheduled alert, as it is much more efficient. So, for example, let's set up an alert that searches every 5 minutes to see if an source IP has generated more than 200 events in the past hour:

Search (save it as an Alert)

index=*network  sourcetype=switches
| stats count by source_ip
| where source_ip > 200

This search will produce a simple list of source IPs with over 200 events, nothing more. Set the timerange of the search for the "Last 60 minutes" (You might have to add the rex for extracting the source_ip, if that field doesn't already exist.)

Alert Scheduling: This alert should be a scheduled alert. It should be set to "Run on Cron Schedule" with the following settings

Earliest: -60m@m
Latest:   now
Cron Expression: */5 * * * *

Trigger alert when the number of results is greater than 0.
Set whatever actions that you want the alert to take. I would definitely "Add to Triggered Alerts" so that it will show up on the Alerts dashboard.

There you go. Every 5 minutes, this search will run and see if any source IPs have accumulated more than 200 events in the prior 60 minutes. If they have, the alert will fire. I think you were just making it too complicated!

0 Karma

hartfoml
Motivator

@iguinn this is the right answer and you are so good at answering. you have helped me several times. I just have one very slight correction in your search.
index=*network sourcetype=switches
| stats count by source_ip
| where source_ip > 200

should be
index=*network sourcetype=switches
| stats count by source_ip
| where count > 200

@iguinn Hope to meet you at .conf2016

0 Karma

sundareshr
Legend

Please share some sample events or re-post your query inside a code block.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...