Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make sure a saved search covers proper time range

okayal
Explorer
‎11-20-2019 06:58 AM

Hello,

We have a saved search that checks for the occurrence of at least two separate events for each user. For example, say I want to check if a user logs in and logs out within the same hour, a simplified search would be something like this:

index=windows event_id IN ("4624","4625")
| stats dc(event_id) as dc_count by User
| search dc_count>=2

I would save this as an Alert, schedule it to run every hour at the start of the hour, with a time range of the last hour. This works without any problems, however, my concern is as follows. Say a user logs in at the 59 minute mark, then logs out at the 15 minute mark. The alert will not detect it since it will fall under two separate searches times.

One solution I can think of is to change the stats command to a streamstats, then change the time range to the last two hours, keeping the schedule to run every hour:

| streamstats dc(event_id) as dc_count by User time_window=1h

Lastly, apply a throttle by user to avoid duplicate alerts.

However, I feel this solution is kind of ugly and cumbersome, and I was wondering if I am missing an obvious way to solve this.

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎11-23-2019 06:38 PM 
 index=windows event_id IN ("4624","4625") earliest=-2h@h
 | streamstats count(eval(event_id==4625)) AS sessionID BY User
 | stats first(_time) AS _time range(_time) AS duration values(event_id) AS event_id dc(event_id) as eventId_count BY sessionID User
 | where event_id==4624 AND policy_count==1
 | where duration > your_desire_duration_seconds

HI, If you search in the past 2 hours every hour, you will be alerted.

thanks @woodcock , I used your query.  

Reply

woodcock
Esteemed Legend
‎11-23-2019 10:25 PM

You did UpVote, right?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-23-2019 11:41 PM

Roger that.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...