Solved: How to get a count of events that generates an ale...

seaed_ac · ‎09-16-2015

I am trying to have a count of events that generates an alert after a host has more than x USB related events during a given amount of time.

This is the type of event:

1   »  9/16/15
3:56:29.653 AM  
usn="46558922" time_stamp="2015-09-16 03:56:29.653 UTC" host_name="HOST" vapi_name="File Write" begin_time="2015-09-15 16:15:52.502 UTC" end_time="2015-09-15 17:00:44.533 UTC" caller_process_id="2128" caller_process_name="C:/Program.exe" parameter="F:/" user_name="SYSTEM" ip_addr="0.0.0.0" file_size="0" param_device_id="USBSTOR\Disk&Ven_HUAWEI&Prod_TF_CARD_Storage&Rev_2.31\7&12ad7558&0"

woodcock · ‎09-16-2015

Save this search and trigger for Number of events greater than 0:

... | stats count by host | where count < X

View solution in original post

somesoni2 · ‎09-16-2015

Try something like this

index=yourindex sourcetype=yoursourcetype param_device_id="USB*" | stats count by host_name | where count>yourXvalue

Set the alert condition as Where number of event > 0 from this search

woodcock · ‎09-16-2015

Save this search and trigger for Number of events greater than 0:

... | stats count by host | where count < X

seaed_ac · ‎09-16-2015

Hi there.
Thank you for your reply. How can I differentiate between the different hosts. Basically what I am trying to achieve is to be alerted when a user goes over a pre-defined number of files while using a usb external hdd. So far I get all the hosts together but I need to have it separated either by host_name or by user_name

woodcock · ‎09-16-2015

The search already does count by host; if you need by host_name then do this:

 ... | stats count by host_name | where count < X

How to get a count of events that generates an alert after a host has more than X related events during a given period of time?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!