Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to set alerts with rule type "Repeated value" - sample use case

            Modified on Thu, 8 Mar, 2018 at 10:50 PM

            Identifying source and destination IP addresses for too many open connections

            Usecase

            Compare current time window with previous time window and get the list of source and destination IP addresses of min count 10 for too many connections to an application server which was seen in previous time window. 


            Notification Types:  Email


            User Inputs

            Please find the below image for setting up alerts in Skedler-Alerts 


            Notification received via Email

            Hi,

            Alert has been triggered for alert "Repeatedly occured IP addresses" on Sat Dec 16,2017 18:05:00 IST


            Alert Condition:

            Rule Type: Repeated value, Keyword Filter: * - select * from .data* where timeWindow between Sat Dec 16,2017 17:50:00 IST - Sat Dec 16,2017 18:05:45 IST 


            TimeWindow:

            Sat Dec 16,2017 17:50:00 IST - Sat Dec 16,2017 18:05:45 IST


            Elasticsearch Query:


            {\"size\":10000,\"sort\":[{\"Timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"date\"}}],\"query\":{\"bool\":{\"must\":[{\"range\":{\"Timestamp\":{\"gte\":\"2017-12-16T12:20:00.000Z\",\"lte\":\"2017-12-16T12:35:00.000Z\",\"format\":\"date_time\"}}},{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}],\"should\":[],\"must_not\":[]}},\"aggs\":{\"count\":{\"value_count\":{\"field\":\"_index\"}}}}


            {\"size\":10000,\"sort\":[{\"Timestamp\":{\"order\":\"desc\",\"unmapped_type\":\"date\"}}],\"query\":{\"bool\":{\"must\":[{\"range\":{\"Timestamp\":{\"gte\":\"2017-12-16T11:20:00.000Z\",\"lte\":\"2017-12-16T12:20:00.000Z\",\"format\":\"date_time\"}}},{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}}],\"should\":[],\"must_not\":[]}},\"aggs\":{\"count\":{\"value_count\":{\"field\":\"_index\"}}}}


            Matching Records:


            Repeated value for data generated from Sat Dec 16,2017 17:50:00 IST to Sat Dec 16,2017 18:05:00 IST not seen in previous Sat Dec 16,2017 16:05:00 IST to Sat Dec 16,2017 16:05:00 IST


            Field
            		Value
            		count
            srcIp
            		105.3.152.219
            		12
            srcIp
            		129.89.1.70
            		50
            dstIp    20.103.9.1232
            dstIp
            		100.30.12.9819


            http://localhost:3001/skedler-alerts/alertdetails?alertId=1auyTmABJG5Y3vs9VWIF&alertname=%22newly%22occured%22srcIp%22&triggered_time=2017-12-16T14:37:45.000Z


            Thanks


            Conclusion

             Below table shows the list of new source and destination IP addresses which passes the count  > 10 (i.e occurred at least 10) for current time window which was seen in previous time window


            Field
            		Value
            		count
            srcIp
            		105.3.152.219
            		12
            srcIp
            		129.89.1.70
            		50
            dstIp
            		20.103.9.12
            		32
            dstIp
            		100.30.12.98
            		19

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0