Splunk Search

splunk query for consecutive event in less than 5 s window

maniishpawar
Path Finder

Hi
I am trying to write a query to detect IIS start stop event 3201 and 3202 respectively.
I wanted to create a query that can check these two events and if they do not fall through in 5s gap, then generate an alert.
For ex

12:00:01 3201 logged
12:00:02 3230 logged
for this no alert should be generated.

12:00:10 3201 logged
12:00:15 1234 logged
12:00:20 3202 logged
for this there should be an alert as the difference is more than 5s.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

index=AlwaysSpecifyAnIndex cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"
| streamstasts count(eval(EventCode=="3202")) AS SessionID
| stats range(_time) AS sessionSeconds BY sessionID
| where sessionSeconds > 5
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@maniishpawar -

You are heading in the right direction... streamstats is the right tool for this. However, you don't want to use sum().

First, you need to get all the events that you need, and throw out any that aren't relevant to your question. Then, you need to copy the information forward from the 3201 to the 3202 record. Finally, you need to test whether the difference is more than five seconds.

 your search that gets all the 3201 and 3202 events, with fields  _time, EventCode and cloudServiceName
| sort 0 cloudServiceName _time 
| eval startTime = case(EventCode==3201,_time)
| streamstats current=f last(startTime) as prevStartTime by cloudServiceName 
| eval duration=_time - prevStartTime
| where EventCode=3202 AND duration >5

Here we take advantage of the assumption that the event immediately before a 3202 must be the paired 3201. If you might have multiple of either, then use the next version.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you also want to test for stop records without start records and vice versa, it is going to need to be slightly more complex.

 your search that gets all the 3201 and 3202 events, with fields  _time, EventCode and cloudServiceName
 | sort 0 cloudServiceName _time 
 | eval startTime = case(EventCode==3201,_time)
 | streamstats count(startTime) as startSequence by cloudServiceName 
 | eval startSequence = coalesce(startSequence,0)
 | stats range(_time) as duration min(_time) as _time list(EventCode) as EventCode by cloudServiceName startSequence
 | where mvcount(EventCode)<2 OR  mvcount(EventCode)>2  OR duration >5
0 Karma

maniishpawar
Path Finder

Thank you for the answer. Can you please help me understand the second solution.

0 Karma

maniishpawar
Path Finder

after going through online. I came up with something below. Can someone please suggest if this will work or if this the correct answer .
Will be more than happy to have alternatives.

index=* cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"

| streamstats time_window=5s sum(EventCode) as Previous_Event by cloudServiceName | search Previous_Event>6401

0 Karma

maniishpawar
Path Finder

Any one has any suggestions/comments ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...