Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I search and alert for recurring events?

aramakrishnan
New Member
‎11-03-2017 12:28 PM

I'm trying to write a search which can detect the occurrence of an event AFTER a previous event containing the same field value has occurred. The use case is that when the first event occurs, we trigger an alert (which has a subsequent course of action internally) and when the subsequent log event occurs matching the same ID, we know that the issue has been fixed.

Event 1: <time=11/2/2017 11:00:00> sourcetype=firstevent "Event 1 happened"  devID=ABCD | ...
Event 2: <time=11/3/2017 02:00:00> sourcetype=secondevent "Event 2 happened"  deviceID=ABCD | ...

Ideally, we'd like for Splunk to search for the occurrence of the second event from the time the first event occurred. So for every device ID in event 1, look for a subsequent event 2 since the first event occurred, and trigger an alert saying "for this device ID, the second event has happened".

Couple of notes:
- The device ID field name is different in the two events, I have previously corrected it using an eval, for example:

search < event1> | eval deviceID =  devID
  • The second event always occurs AFTER the first event. And the second event is basically indicating that a device has been registered, we have a thousand registrations a day, and it's hard to specify a time modifier. So either I could go with something generic and say "search in the last 2 weeks if you found a registration for devID" or I could say "search from earliest="when the first event happened" to now for the second event"

Things I've tried so far:

event 1 OR event 2 | eval deviceID =  devID |  transaction deviceID | event 1 AND event 2

I tried to put both events in a transaction and say only show me results where BOTH events are available so I can alert on that. However, this doesn't seem to work as expected perhaps because of the eval to change the field name?

Also, to specify time range. I tried putting the timestamp of event 1 into a field (say "first_event_start") using eval and then used a join to look for the second event starting earliest=first_event_start, but I got an error (looks like it only takes numeric values or time modifiers).

Any help would be great! Thanks!

Tags (2)
0 Karma
Reply

horsefez
Motivator
‎11-04-2017 09:47 AM

Hi,

have you tried using transaction with the startswith and endswith parameters yet?

Try something like this:

<yoursearch> | transaction deviceID startswith="<indicator that event 1 happened>" endswith="<indicator that event 2 happened>"

The indicator I'm talking about is some sort of raw string that marks the event

0 Karma
Reply

Sukisen1981
Champion
‎11-04-2017 07:00 AM

hi have you tried the streamstats command?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...