Hi,
I'm trying to design real time alerts who trigger if "one" or more events with similar event properties are detected over a period of time.
Imagine data like this:
TIME Action IP
08-10-2015 02:10:00 ABCDE 192.168.1.1
08-10-2015 02:15:00 ABCDE 192.168.1.1
08-10-2015 02:25:00 ABCDE 192.168.1.1
08-10-2015 02:30:00 ABCDE 192.168.1.2
08-10-2015 02:35:00 ABCDE 192.168.1.1
This search string:
sourcetype=imaginarydatasource | transaction maxspan=20min IP
would give back these results:
Event 1
08-10-2015 02:10:00 ABCDE 192.168.1.1
08-10-2015 02:15:00 ABCDE 192.168.1.1
08-10-2015 02:25:00 ABCDE 192.168.1.1
Event 2
08-10-2015 02:30:00 ABCDE 192.168.1.2
Event 3
08-10-2015 02:35:00 ABCDE 192.168.1.1
Is it possible to create a working alert, that searches data in real-time with this search string and then sends me grouped up event data like in this example via email?
(3 emails in this example)
Or should I schedule a hourly alert?
Thanks in advance!
↧