Splunk Search

Splunk search that finds when matches 2 events but does not match a third within a 5-second interval over the last 24 hours?

SystemsEnginee1
New Member

Need to find the solution for a Splunk search that finds when Event_ID=24 and Event_ID=40 but not Event_ID=23 within a 5 second interval over the last 24 hours.

Thank you!

Tags (1)
0 Karma

woodcock
Esteemed Legend

Run this search for Last 24 hours:

| makeresults
| eval raw="A,24,40 B,42,25,40,40,41 C,24,40,23 D,22,21,42,41"
| makemv raw
| mvexpand raw
| streamstats count AS _serial
| eval _time = _time + 20*_serial
| rename raw AS _raw
| rex "^(?<host>[^,]+),(?<Event_ID>.*)"
| makemv delim="," Event_ID
| mvexpand Event_ID
| fields - _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats time_window=5 count(eval(Event_ID=24)) AS Event_ID_24 count(eval(Event_ID=40)) AS Event_ID_40 count(eval(Event_ID=23)) AS Event_ID_23 BY host
| search Event_ID_24>0 AND Event_ID_40>0 AND Event_ID_23=0

SystemsEnginee1
New Member

Thank you for all your help and answers. Unfortunately with your solution I'm still having the issue where it is matching both Scenario A and Scenario C, I was trying to only match Scenario A. I'll be taking another look at this soon, but thanks for all the time people have committed so far!

0 Karma

woodcock
Esteemed Legend

Actually, this does not work, but it might be made to work?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@woodcock - I'd tend to put an s on the time_window=5, but it's the same effect and otherwise just so.

0 Karma

SystemsEnginee1
New Member

Thanks for all your answers. I think maybe I need to expand on what the whole picture looks like. In the following four scenarios, I only want to match 'Scenario A'. In each scenario all the events happen within a second or two (thus within 5 seconds).

At 2:25pm - Scenario A:
- Event_ID=24
- Event_ID=40

At 2:27pm - Scenario B:
- Event_ID=42
- Event_ID=25
- Event_ID=40
- Event_ID=40
- Event_ID=41

At 2:33pm - Scenario C:
- Event_ID=24
- Event_ID=40
- Event_ID=23

2:37pm - Scenario 😧
- Event_ID=22
- Event_ID=21
- Event_ID=42
- Event_ID=41

Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi SystemsEngineer,
trys omething like this:

your_search
| transaction host startswith="Event_ID=24" maxspan=5s
| search Event_ID=40 NOT Event_ID=23 

Bye.
Giuseppe

0 Karma

jkat54
SplunkTrust
SplunkTrust

I thought this might work too.

0 Karma

gcusello
SplunkTrust
SplunkTrust

try it!
Bye.
Giuseppe
P.S.: if this answer satisfy your request, please accept it.

0 Karma

SystemsEnginee1
New Member

Sorry, I've tried both of these options above and it matches more than just 'Scenario A'. Not sure, but I could be missing something. The base search brings up all the Scenario's data listed above in my expanded comments, but I just want to match 'Scenario A', (when Event_ID=24 and Event_ID=40 exist, but not Event_ID=23). Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
try this

 your_search
 | transaction host startswith="Event_ID=24" maxspan=5s
 | search Event_ID=24 Event_ID=40 NOT Event_ID=23

Bye.
Giuseppe

0 Karma

jkat54
SplunkTrust
SplunkTrust

I think this would work:

index=yourIndexName 
| transaction host startswith=eval(Event_ID=24) endswith=eval(Event_ID=23) maxspan=5s keeporphans=true 
| where _txn_orphan=1 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...