Solved: Alert on count of email sender is seen 5 times wit...

AyeDefo · ‎03-23-2017

I'm trying to create a search to output a list of unique senders where that sender has generated a DLP log 5 times or more within a 24 hour period.
Ideally this should not count the same email more than once if the single email triggers multiple policy hits in the policy field.

What I have so far:

index=dlp eventtype=symantec_dlp_alert
| bucket span=24h  _time
| stats count by _time sender
| where count > 5
| sort -count

But the output does not seem right. Any guidance would be much appreciated.

woodcock · ‎03-23-2017

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

View solution in original post

woodcock · ‎03-23-2017

I don't have these logs in front of me but you should have some kind of unique identifier for the email ( subject, mid, etc.) so let's assume your data has mid and do it like this:

 index=dlp eventtype=symantec_dlp_alert
 | bucket span=24h _time
 | stats dc(mid) BY _time sender
 | search count > 5
 | sort 0 - count

gfreitas · ‎03-23-2017

Try to replace the stats count by _time sender for stats dc(sender) as count by _time
The dc command is distinct count of values for that field

Alert on count of email sender is seen 5 times within 1 hour

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life