Solved: Alert by Source IP Where Threshold Exceeded

vragosta · ‎03-11-2013

I have the following alert created in Splunk to alert me when the number of firewall drops exceeds 30 within a specified time span:

source="udp:514" error_code=106001 | stats count as NumDrops by src_ip | where NumDrops > 30

When I receive the email for this alert, the attached csv file contains only the src_ip and NumDrops fields. This is understandable, as this is what the search returns. However, I would like to see each individual log that comprises this search in the alert email. How would I go about doing this? Do I need to somehow chain the searches, whereby I find out which src_ip triggers the alert and then perform another search using this src_ip?

Thanks!

martin_mueller · ‎03-11-2013

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

View solution in original post

martin_mueller · ‎03-11-2013

You could replace stats with eventstats. Instead of dropping everything but the count and the src_ip it adds the count to the event.

vragosta · ‎03-12-2013

Works great! Thanks.

Alert by Source IP Where Threshold Exceeded

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM