https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647789#M781 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249714">@SplunkExplorer</a>,</P><P>let me understand: when you sai consecutive events, are you meaning events in the reference period or that between these events athere isn't any othe event?</P><P>In the first case, you can run a simple search like the following :</P><LI-CODE lang="markup">index=wineventlog Eventcode=4776 | stats count BY host user | where count&gt;3</LI-CODE><P>if the second the solution is more complex, I''l think to it.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 21 Jun 2023 13:30:09 GMT gcusello 2023-06-21T13:30:09Z https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647719#M780 <P>Hi Splunkers, I have to build a rule, based on Windows Logs (XML ones), that must check this:</P> <P>Notify me is there are at least<STRONG> 3 consecutive occurreces</STRONG> of EventID 4776 from a list of host. Tje desiderd output must show:</P> <UL> <LI>Host</LI> <LI>Number of consecutive events</LI> <LI>User/account associated to&nbsp; events</LI> </UL> <P>So for example, if we have that</P> <UL> <LI>Host A has 4 consecutive events of EventID 4776 for user "Admin"</LI> <LI>Host B has 19 consecutive events of EventID 4776 for user "Test"</LI> <LI>Host C has 2 consecutive events of EventID 4776 for user "Joker"</LI> <LI>Host D has 3 Events of EvenID 4776, but only 2 consecutive; than has another different event and only after this another occurrence of 4776 for user "Hello"</LI> </UL> <P>Host C don't match the consecutive count clause and must be escluded; same for Host D, because he has 3 events but not consecutive. The expected output is:<BR /><BR /></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%">Host</TD> <TD width="33.333333333333336%">User</TD> <TD width="33.333333333333336%">N. of consecutive events</TD> </TR> <TR> <TD width="33.333333333333336%">A</TD> <TD width="33.333333333333336%">Admin</TD> <TD width="33.333333333333336%">4</TD> </TR> <TR> <TD width="33.333333333333336%">B</TD> <TD width="33.333333333333336%">Test</TD> <TD width="33.333333333333336%">19</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What get me in stuck here is how to check that events are consecutive.Any suggestion?</P> Thu, 22 Jun 2023 00:37:16 GMT https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647719#M780 SplunkExplorer 2023-06-22T00:37:16Z https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647789#M781 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249714">@SplunkExplorer</a>,</P><P>let me understand: when you sai consecutive events, are you meaning events in the reference period or that between these events athere isn't any othe event?</P><P>In the first case, you can run a simple search like the following :</P><LI-CODE lang="markup">index=wineventlog Eventcode=4776 | stats count BY host user | where count&gt;3</LI-CODE><P>if the second the solution is more complex, I''l think to it.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 21 Jun 2023 13:30:09 GMT https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647789#M781 gcusello 2023-06-21T13:30:09Z https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647797#M783 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>, it is the second option you mentioned: no other events between the desired one must be present.</P><P>For example:</P><P>15:00:00: Eventd ID 4776 for user gcusello<BR />15:00:01: Eventd ID 4776 for user gcusello<BR />15:00:02: Eventd ID 4776 for user gcusello</P><P>is fine, while:</P><P>15:00:00: Eventd ID 4776 for user gcusello<BR />15:00:01: Eventd ID 4776 for user gcusello<BR />15:00:02: Eventd ID 4625 for user gcusello<BR />15:00:03: Eventd ID 4776 for user gcusello</P><P>it isn't.</P> Wed, 21 Jun 2023 13:41:17 GMT https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647797#M783 SplunkExplorer 2023-06-21T13:41:17Z https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647798#M784 <P>I think that this is doable with&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats</A></P><P>Just use reset_before/after which suite better for you.&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| streamstats reset_before="EventID!=4776" count by host user EventID | where count &gt; 3</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Jun 2023 13:58:04 GMT https://community.splunk.com/t5/Other-Usage/How-to-check-if-certain-events-occurs-N-consecutive-times/m-p/647798#M784 isoutamo 2023-06-21T13:58:04Z