Hi
I am trying to write a query to detect IIS start stop event 3201 and 3202 respectively.
I wanted to create a query that can check these two events and if they do not fall through in 5s gap, then generate an alert.
For ex
12:00:01 3201 logged
12:00:02 3230 logged
for this no alert should be generated.
12:00:10 3201 logged
12:00:15 1234 logged
12:00:20 3202 logged
for this there should be an alert as the difference is more than 5s.
Like this:
index=AlwaysSpecifyAnIndex cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"
| streamstasts count(eval(EventCode=="3202")) AS SessionID
| stats range(_time) AS sessionSeconds BY sessionID
| where sessionSeconds > 5
@maniishpawar -
You are heading in the right direction... streamstats
is the right tool for this. However, you don't want to use sum()
.
First, you need to get all the events that you need, and throw out any that aren't relevant to your question. Then, you need to copy the information forward from the 3201 to the 3202 record. Finally, you need to test whether the difference is more than five seconds.
your search that gets all the 3201 and 3202 events, with fields _time, EventCode and cloudServiceName
| sort 0 cloudServiceName _time
| eval startTime = case(EventCode==3201,_time)
| streamstats current=f last(startTime) as prevStartTime by cloudServiceName
| eval duration=_time - prevStartTime
| where EventCode=3202 AND duration >5
Here we take advantage of the assumption that the event immediately before a 3202 must be the paired 3201. If you might have multiple of either, then use the next version.
If you also want to test for stop records without start records and vice versa, it is going to need to be slightly more complex.
your search that gets all the 3201 and 3202 events, with fields _time, EventCode and cloudServiceName
| sort 0 cloudServiceName _time
| eval startTime = case(EventCode==3201,_time)
| streamstats count(startTime) as startSequence by cloudServiceName
| eval startSequence = coalesce(startSequence,0)
| stats range(_time) as duration min(_time) as _time list(EventCode) as EventCode by cloudServiceName startSequence
| where mvcount(EventCode)<2 OR mvcount(EventCode)>2 OR duration >5
Thank you for the answer. Can you please help me understand the second solution.
after going through online. I came up with something below. Can someone please suggest if this will work or if this the correct answer .
Will be more than happy to have alternatives.
index=* cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"
| streamstats time_window=5s sum(EventCode) as Previous_Event by cloudServiceName | search Previous_Event>6401
Any one has any suggestions/comments ?