Reporting

How to configure a Haversine scheduled report so that a user will not appear multiple times each time the report is run?

afarmer
Explorer

I use the haversine formula to search for users who have logged into resources within a short period of time in the last 24 hours. I have a scheduled report set to run every hour and it looks back at the past 24 hours across our authentication logs. The report works perfectly, but here is the issue.

Let's say my scheduled report will run at 9:00AM.
A particular username is shown as logging in from Atlanta, Georgia, and logging in from Paris, France, within a 5 minute time frame.
My scheduled report runs every hour, so this user will appear as logging in from both cities.

However, since my report runs every hour, this user will continue to appear each hour until the 24 hour time frame has passed. As you can tell, if I set up an alert, I'll receive many emails each hour.

What is the best way to configure the report/alert so that this user will only appear once and not every time the report runs? The alert settings don't seem to have an affect.

Thanks in advance.

0 Karma
1 Solution

woodcock
Esteemed Legend

Just add this to the end of your search:

| eventstats latest(_time) AS mostRecentTime BY user
| where mostRecentTime >= (now() - 3600)
| fields - mostRecentTime

This will keep only those groups of events where at least one of them happened in the last hour.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Just add this to the end of your search:

| eventstats latest(_time) AS mostRecentTime BY user
| where mostRecentTime >= (now() - 3600)
| fields - mostRecentTime

This will keep only those groups of events where at least one of them happened in the last hour.

0 Karma

afarmer
Explorer

That's it! I completely overlooked the eventstats command and it's obvious now. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What's the current query/logic that you're using? Are you checking if a user has logged from multiple cities/resources with a specified interval?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...