topic Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window in Alerting

Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

misteryuku — Thu, 26 Apr 2012 08:18:05 GMT

Lets say i have a set of log events like this in the search app of splunk:

Thu Apr 26 09:39:22 SGT 2012 INFO no = 1 time = 0.000000 src = 164.124.33.78 dest = 192.168.0.1 protocol = TCP length = 54 info = "35165 > 80 [SYN] Seq=0 Win=16384 Len=0 "

Thu Apr 26 09:39:22 SGT 2012 INFO no = 2 time = 0.000001 src = 38.198.26.9 dest = 192.168.0.1 protocol = TCP length = 54 info = "14378 > 80 [SYN] Seq=0 Win=16384 Len=0 "

Thu Apr 26 09:39:22 SGT 2012 INFO no = 3 time = 0.000003 src = 132.212.36.201 dest = 192.168.0.1 protocol = TCP length = 54 info = "31944 > 80 [SYN] Seq=0 Win=16384 Len=0 "

I clicked the create button > alert . Then i chose "monitor in real time over a rolling window of.." the under tigger if i select "custom condition is set" fom the drop down menu. I would like to create the alert that would be triggered when the custom condition is set.

I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP, the same dest field values and the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times.

The question is how do i create the custom condition so that the custom condition would statisfy the above conditions(in bold) i mentioned.

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

echalex — Thu, 26 Apr 2012 10:12:57 GMT

Hi,
Sounds like you could use transaction for that:

protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20

The transaction command will combine all the events into one and the last command will restrict the search to show the transactions with 20 or more results.

Then set the condition to "Number of events is greater than 0"

HTH!

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

misteryuku — Fri, 27 Apr 2012 00:34:57 GMT

Thanks for the answer.

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

misteryuku — Fri, 27 Apr 2012 07:06:12 GMT

Sorry, i beg your pardon. What i mean is I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP AND the same dest field values AND the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times. Is it going to be the same search stmt? or replace | with &&?? I just need to clarify.

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

echalex — Fri, 27 Apr 2012 07:15:24 GMT

Aha! So to clarify: when you say consecutive, you mean that if there is any event between the first and the second event, then it doesn't apply? I'm not sure if transaction can do this and I'm not sure how you would do it in the search language.

But to clarify: the | does not mean OR, it is more akin to the command piping in e.g. unix or windows command line. The transaction dest command will group only such events that have the same dest field. The last search eventcount>= 20 will require that such a group has at least 20 events in it.

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

echalex — Fri, 27 Apr 2012 07:20:24 GMT

To elaborate further, the search will take all the events with protocol="TCP", then show only those that contain "SYN" in their info field, group them together so they have the same dest field and finally leave out those groups with less than 20 events.

The group will show as only 1 result, although the group contains 20 or more event. Therefore the alert condition only needs to find 1 or more results. (Which means "is greater than 0", of course. Now corrected in my answer.)

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

echalex — Fri, 27 Apr 2012 07:22:38 GMT

Another option for the search condition could be "if custom condition is met" and for the custom condition "eventcount >= 20".

Re: Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

misteryuku — Fri, 27 Apr 2012 07:28:51 GMT

i asked again because i thought my question wasn't clear enough.