I have the following alert created in Splunk to alert me when the number of firewall drops exceeds 30 within a specified time span:
source="udp:514" error_code=106001 | stats count as NumDrops by src_ip | where NumDrops > 30
When I receive the email for this alert, the attached csv file contains only the src_ip and NumDrops fields. This is understandable, as this is what the search returns. However, I would like to see each individual log that comprises this search in the alert email. How would I go about doing this? Do I need to somehow chain the searches, whereby I find out which src_ip triggers the alert and then perform another search using this src_ip?
Thanks!
You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.
You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.
Works great! Thanks.