Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alerts - how to show transactions that occurred before alert triggered

randy_moore
Path Finder
‎03-09-2018 01:00 PM

I need to create an alert that does two things (1) triggers if a "fraud" flag is set to TRUE and (2) show ONLY the transactions from that site regardless of if the fraud flag was set or not. Basically what people want to see if the behavior that happened that led up to and including the fraud flag being set.

For scenario 1, I have the alert trigged on fraud=TRUE. Works fine. For the 2nd part, I thought I could do a look back of 30 minutes, however we have 8000+ locations so I cant just dump the preceding 30 minutes of transactions as that is too much noise.

Application log data looks like this (simplified and hopefully formatted legibly)

Date        Time         Site   Amount      Fraud_Flag
03-09-18    13:21:05       12345    50.00       FALSE
03-09-18    13:21:15       00313    50.00       FALSE
03-09-18    13:21:25       12345    99.00       FALSE
03-09-18    13:21:35       12345    85.00       FALSE
03-09-18    13:21:45       12345    50.00       FALSE
03-09-18    13:21:50       00313    65.00       FALSE
03-09-18    13:21:51       00313    54.00       FALSE
03-09-18    13:21:52       00313    51.00       FALSE
03-09-18    13:21:53       12345    50.00       FALSE
03-09-18    13:21:54       00313    25.00       TRUE

So what happens now is the alert trips at the 13:21:54 entry (site 313) and sends a fraud alert with just that one line out to the teams. What I want is to be able to also get the last 30 minutes of transactions for just the site for which the alert was triggered.

I thought about doing an appendcols but what is stopping me is not knowing how to pass just the one site number.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

randy_moore
Path Finder
‎03-10-2018 11:10 AM

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

randy_moore
Path Finder
‎03-10-2018 11:10 AM

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

0 Karma
Reply
Solved! Jump to solution

anjambha
Communicator
‎03-09-2018 11:02 PM

Hi randy_moore,

You can try this.

earliest=-30m  <Base search> | where [search earliest=-5m <Base search> | where Fraud_Flag == "TRUE" | return 10000 Site] | table Date Time Site Amount Fraud_Flag
0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎03-09-2018 01:17 PM

you might be able to put your alert criteria in a subsearch that returns the site # and the true flag

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...