Splunk search that finds when matches 2 events but...

SystemsEnginee1 · ‎09-05-2017

Need to find the solution for a Splunk search that finds when Event_ID=24 and Event_ID=40 but not Event_ID=23 within a 5 second interval over the last 24 hours.

Thank you!

woodcock · ‎09-06-2017

Run this search for Last 24 hours:

| makeresults
| eval raw="A,24,40 B,42,25,40,40,41 C,24,40,23 D,22,21,42,41"
| makemv raw
| mvexpand raw
| streamstats count AS _serial
| eval _time = _time + 20*_serial
| rename raw AS _raw
| rex "^(?<host>[^,]+),(?<Event_ID>.*)"
| makemv delim="," Event_ID
| mvexpand Event_ID
| fields - _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats time_window=5 count(eval(Event_ID=24)) AS Event_ID_24 count(eval(Event_ID=40)) AS Event_ID_40 count(eval(Event_ID=23)) AS Event_ID_23 BY host
| search Event_ID_24>0 AND Event_ID_40>0 AND Event_ID_23=0

SystemsEnginee1 · ‎09-11-2017

Thank you for all your help and answers. Unfortunately with your solution I'm still having the issue where it is matching both Scenario A and Scenario C, I was trying to only match Scenario A. I'll be taking another look at this soon, but thanks for all the time people have committed so far!

woodcock · ‎09-06-2017

Actually, this does not work, but it might be made to work?

DalJeanis · ‎09-06-2017

@woodcock - I'd tend to put an s on the time_window=5, but it's the same effect and otherwise just so.

SystemsEnginee1 · ‎09-06-2017

Thanks for all your answers. I think maybe I need to expand on what the whole picture looks like. In the following four scenarios, I only want to match 'Scenario A'. In each scenario all the events happen within a second or two (thus within 5 seconds).

At 2:25pm - Scenario A:
- Event_ID=24
- Event_ID=40

At 2:27pm - Scenario B:
- Event_ID=42
- Event_ID=25
- Event_ID=40
- Event_ID=40
- Event_ID=41

At 2:33pm - Scenario C:
- Event_ID=24
- Event_ID=40
- Event_ID=23

2:37pm - Scenario 😧
- Event_ID=22
- Event_ID=21
- Event_ID=42
- Event_ID=41

Thanks!

gcusello · ‎09-06-2017

Hi SystemsEngineer,
trys omething like this:

your_search
| transaction host startswith="Event_ID=24" maxspan=5s
| search Event_ID=40 NOT Event_ID=23

Bye.
Giuseppe

jkat54 · ‎09-06-2017

I thought this might work too.

gcusello · ‎09-06-2017

try it!
Bye.
Giuseppe
P.S.: if this answer satisfy your request, please accept it.

SystemsEnginee1 · ‎09-06-2017

Sorry, I've tried both of these options above and it matches more than just 'Scenario A'. Not sure, but I could be missing something. The base search brings up all the Scenario's data listed above in my expanded comments, but I just want to match 'Scenario A', (when Event_ID=24 and Event_ID=40 exist, but not Event_ID=23). Thank you!

gcusello · ‎09-06-2017

Hi
try this

 your_search
 | transaction host startswith="Event_ID=24" maxspan=5s
 | search Event_ID=24 Event_ID=40 NOT Event_ID=23

Bye.
Giuseppe

jkat54 · ‎09-05-2017

I think this would work:

index=yourIndexName 
| transaction host startswith=eval(Event_ID=24) endswith=eval(Event_ID=23) maxspan=5s keeporphans=true 
| where _txn_orphan=1

Splunk search that finds when matches 2 events but does not match a third within a 5-second interval over the last 24 hours?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio