topic Re: Creating an alert with field value count within a transaction in Splunk Search

Creating an alert with field value count within a transaction

mcg_connor — Mon, 29 Jul 2019 18:15:01 GMT

I am trying to create an alert for the below search that would go off if within the event there are 10 times where EventCode equals 1 within a 5-minute span. I also want EventCode equals 2 once within that span which is why I am doing the search for EventID equals 1 AND EventID equals 2.

index="myindex" EventCode=1 OR EventCode=2   earliest=-5m
| transaction user   | search EventID=1 AND EventID=2  
| eventstats 
                count(eval(match(EventID,"1"))) as loginFail
                count(eval(match(EventID,"2"))) as loginSuccess
                by user
|table user,loginFail,loginSuccess
|where loginFail >= 10

Currently the results of this search are:

user                          loginFail            loginSuccess
testuser                          1                      1
exampleuser                       1                      1

Even if there are 3 times within the transaction where EventID equals 1 and 1 time where it equals 2.

Thanks for any help!

Re: Creating an alert with field value count within a transaction

woodcock — Mon, 29 Jul 2019 18:26:26 GMT

DO NOT user transaction; try this:

index="myindex" AND (EventCode=1 OR EventCode=2) earliest=-5m
| eventstats count(eval(EventCode=1)) AS loginFail count(eval(EventCode=2)) AS loginSuccess BY user
| where loginFail >= 10 AND loginSuccess > 0

Re: Creating an alert with field value count within a transaction

mcg_connor — Mon, 29 Jul 2019 18:32:14 GMT

Awesome thanks for the helpful answer!