I am wanting to trigger an alert when there are multiple auth timeouts from a single NAS IP. I am using the search below to find the auth timeouts and am creating an alert from that search. But I want the trigger condition to be if we see 10 or more of these timeouts from a single NAS IP without having to create an individual alert per NAS IP.
host = "auth-server" "login_status=timeout"
host = "auth-server" "login_status=timeout"
|stats count by NAS_IP
| where count >= 10
fire alert event count > 0
Thank you. When I use this in the search, nothing shows up - even if I change it to "where count >= 1". Any ideas?
I don't know your log has NAS_IP
field.
you should change it your field.
host = "auth-server" "login_status=timeout"
Why do you search the strings "login_status=timeout"
?
login_status is nothing?
see: https://www.splunk.com/pdfs/solution-guides/splunk-quick-reference-guide.pdf