Solved: Looking for 2 specific field values appearing with...

adamblock2 · ‎06-29-2016

I am interested in identifying when a field contains 2 specific field values appear within 5 minutes of each other.

I have started my query as follows: "eventtype=bit9 (name=value1 OR name=value2) | transaction name startswith=value1 endswith=value2"

The above query returned events which matched value1, but did not properly show when the 2 events appeared one after the other within 5 minutes.

Assistance with this will be greatly appreciated.

Thank you.

adamblock2 · ‎07-08-2016

Although I have still not tweaked the following query so that it returns a complete set of results, I think that it is very close to what I am looking for:

eventtype=bit9 cef_name="New file on network" OR cef_name="Banned file written to computer"
| join dhost type=inner [search eventtype=bit9 cef_name="Banned file written to computer" | eval lastTime=_time| fields dhost,lastTime]
| eval duration = lastTime - _time
| stats values(cef_name) AS cef_name dc(cef_name) AS dc_cef_name values(file_name) AS file_name values(duration) AS duration count by _time, lastTime, dhost
| search duration >=0 duration<=500 dc_cef_name=2
| table _time, lastTime, dhost, cef_name, file_name, duration
| eval lastTime=strftime(lastTime, "%x %X")
| sort dhost

View solution in original post

adamblock2 · ‎07-08-2016

Although I have still not tweaked the following query so that it returns a complete set of results, I think that it is very close to what I am looking for:

eventtype=bit9 cef_name="New file on network" OR cef_name="Banned file written to computer"
| join dhost type=inner [search eventtype=bit9 cef_name="Banned file written to computer" | eval lastTime=_time| fields dhost,lastTime]
| eval duration = lastTime - _time
| stats values(cef_name) AS cef_name dc(cef_name) AS dc_cef_name values(file_name) AS file_name values(duration) AS duration count by _time, lastTime, dhost
| search duration >=0 duration<=500 dc_cef_name=2
| table _time, lastTime, dhost, cef_name, file_name, duration
| eval lastTime=strftime(lastTime, "%x %X")
| sort dhost

sundareshr · ‎06-30-2016

Try this

eventtype=bit9 (name=value1 OR name=value2)  | streamstats count as txn by name | stats earliest(_time) as time earliest(eval(name="value1") as start  earliest(eval(name="value1") as start values(user) as user values(cef_name) as cef_name by txn | eval duration=end-start | where duration<=300 | table time user cef_name duration | eval time=strftime(time, "%x %X")

woodcock · ‎06-30-2016

Try this:

eventtype=bit9 (name="value1" OR name="value2")
| reverse
| streamstats count(eval(name="value1")) AS SessionID
| stats count min(_time) AS firstTime max(_time) AS lastTime values(*) AS * BY SessionID
| search name="value1" AND name="value2" AND ((lastTime - firstTime) <= 300)

jluo_splunk · ‎06-29-2016

I think the issue is that you're building a transaction based on the name meaning that is the unique identifier. Each transaction is built on the unique values of "name". If you want name to potentially have two values in a transaction, you will need the built the transaction on a different field.

adamblock2 · ‎06-30-2016

I have updated the transaction as follows:

eventtype=bit9 (cef_name="Banned file written to computer" OR cef_name="New unapproved file to computer")
| transaction maxspan=5m maxevents=2 user
| table _time,user,cef_name,eventcount

I am interested in a situation where a user first triggers "Banned file written to computer" and within a period of 5 minutes then triggers "New unapproved file to computer". I am getting the feeling that the transaction command is not the right way to do this.

Any suggestions?

Thank you.

Looking for 2 specific field values appearing within 5 minutes of each other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life