Splunk Enterprise Security

How to aggregate events per host per hour?

Hegemon76
Communicator

Hello,

I believe this does not give me what I want but it does at the same time. After events are indexed I'm attempting to aggregate per host per hour for specific windows events.

More specifically I don't see to see that a host isn't able to log 17 times within 1 hour. One alert during that period of time is what I'm looking for.

index=wineventlog EventCode=521 OR EventCode=4617 |bucket _time span=1h | chart count by host

This shows me a total of the alerts that took place within an hour but doesn't necessarily aggregate if I wanted to make an alert for it unless I'm mistaken.

Regards

0 Karma

davpx
Communicator

Try something like

index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h count by host

or

index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h sum(eval(EventCode=521)) as 521 sum(eval(EventCode=4617)) as 4617 by host

elliotproebstel
Champion

Are you trying to make a search you can schedule to run once every hour and alert if the total count of events in that hour for a given host exceeds a threshold? Or do you want to make a table of host many events per host were seen each hour and then only retain the rows where the count exceeded a threshold? It would help a lot to know your end goal.

0 Karma

Hegemon76
Communicator

End goal is instead of having 17 alerts on the same host for the same event (in this case, unable to log) I just want 1 alert for all 17 events based on :insert host:.

So for instance.

If host x,y and z fire this alert I would want three alerts because the host is different and not because the alert simply fired again.

There is no threshold more like an aggregation of the events over the course of an hour so that only 1 alert fires.

Sorry for not being more specific.

0 Karma

elliotproebstel
Champion

In the meantime, you could try the following searches to see if they are showing you what you want:

index=wineventlog  EventCode=521 OR EventCode=4617 
| bin span=1h _time
| stats count by  _time, host

or

index=wineventlog  EventCode=521 OR EventCode=4617 
| bin span=1h _time
| chart count by  _time, host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...