Need to find the solution for a Splunk search that finds when Event_ID=24 and Event_ID=40 but not Event_ID=23 within a 5 second interval over the last 24 hours.
Thank you!
Run this search for Last 24 hours
:
| makeresults
| eval raw="A,24,40 B,42,25,40,40,41 C,24,40,23 D,22,21,42,41"
| makemv raw
| mvexpand raw
| streamstats count AS _serial
| eval _time = _time + 20*_serial
| rename raw AS _raw
| rex "^(?<host>[^,]+),(?<Event_ID>.*)"
| makemv delim="," Event_ID
| mvexpand Event_ID
| fields - _raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| streamstats time_window=5 count(eval(Event_ID=24)) AS Event_ID_24 count(eval(Event_ID=40)) AS Event_ID_40 count(eval(Event_ID=23)) AS Event_ID_23 BY host
| search Event_ID_24>0 AND Event_ID_40>0 AND Event_ID_23=0
Thank you for all your help and answers. Unfortunately with your solution I'm still having the issue where it is matching both Scenario A and Scenario C, I was trying to only match Scenario A. I'll be taking another look at this soon, but thanks for all the time people have committed so far!
Actually, this does not work, but it might be made to work?
@woodcock - I'd tend to put an s on the time_window=5, but it's the same effect and otherwise just so.
Thanks for all your answers. I think maybe I need to expand on what the whole picture looks like. In the following four scenarios, I only want to match 'Scenario A'. In each scenario all the events happen within a second or two (thus within 5 seconds).
At 2:25pm - Scenario A:
- Event_ID=24
- Event_ID=40
At 2:27pm - Scenario B:
- Event_ID=42
- Event_ID=25
- Event_ID=40
- Event_ID=40
- Event_ID=41
At 2:33pm - Scenario C:
- Event_ID=24
- Event_ID=40
- Event_ID=23
2:37pm - Scenario 😧
- Event_ID=22
- Event_ID=21
- Event_ID=42
- Event_ID=41
Thanks!
Hi SystemsEngineer,
trys omething like this:
your_search
| transaction host startswith="Event_ID=24" maxspan=5s
| search Event_ID=40 NOT Event_ID=23
Bye.
Giuseppe
I thought this might work too.
try it!
Bye.
Giuseppe
P.S.: if this answer satisfy your request, please accept it.
Sorry, I've tried both of these options above and it matches more than just 'Scenario A'. Not sure, but I could be missing something. The base search brings up all the Scenario's data listed above in my expanded comments, but I just want to match 'Scenario A', (when Event_ID=24 and Event_ID=40 exist, but not Event_ID=23). Thank you!
Hi
try this
your_search
| transaction host startswith="Event_ID=24" maxspan=5s
| search Event_ID=24 Event_ID=40 NOT Event_ID=23
Bye.
Giuseppe
I think this would work:
index=yourIndexName
| transaction host startswith=eval(Event_ID=24) endswith=eval(Event_ID=23) maxspan=5s keeporphans=true
| where _txn_orphan=1