How to make sure a saved search covers proper time...

okayal · ‎11-20-2019

Hello,

We have a saved search that checks for the occurrence of at least two separate events for each user. For example, say I want to check if a user logs in and logs out within the same hour, a simplified search would be something like this:

index=windows event_id IN ("4624","4625")
| stats dc(event_id) as dc_count by User
| search dc_count>=2

I would save this as an Alert, schedule it to run every hour at the start of the hour, with a time range of the last hour. This works without any problems, however, my concern is as follows. Say a user logs in at the 59 minute mark, then logs out at the 15 minute mark. The alert will not detect it since it will fall under two separate searches times.

One solution I can think of is to change the stats command to a streamstats, then change the time range to the last two hours, keeping the schedule to run every hour:

| streamstats dc(event_id) as dc_count by User time_window=1h

Lastly, apply a throttle by user to avoid duplicate alerts.

However, I feel this solution is kind of ugly and cumbersome, and I was wondering if I am missing an obvious way to solve this.

Thank you

to4kawa · ‎11-23-2019

 index=windows event_id IN ("4624","4625") earliest=-2h@h
 | streamstats count(eval(event_id==4625)) AS sessionID BY User
 | stats first(_time) AS _time range(_time) AS duration values(event_id) AS event_id dc(event_id) as eventId_count BY sessionID User
 | where event_id==4624 AND policy_count==1
 | where duration > your_desire_duration_seconds

HI, If you search in the past 2 hours every hour, you will be alerted.

thanks @woodcock , I used your query. 　

woodcock · ‎11-23-2019

You did UpVote, right?

to4kawa · ‎11-23-2019

Roger that.

How to make sure a saved search covers proper time range

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms