https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550120#M156110 <P>Hi Splunkers,</P><P>I need your help on the following data set.</P><P>Index=auditbeat<BR />host --&gt; log source<BR />command --&gt; command run by host<BR />_time --&gt; _time</P><P>host1:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir</P><P>host2:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir</P><P>host3:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir</P><P>I need to write a search which will look at each 15 min time interval, within&nbsp; EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following</P><P>time interval -- host -- commands</P><P>Thanks for your help.</P> Sat, 01 May 2021 18:53:24 GMT splunkerer 2021-05-01T18:53:24Z https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550120#M156110 <P>Hi Splunkers,</P><P>I need your help on the following data set.</P><P>Index=auditbeat<BR />host --&gt; log source<BR />command --&gt; command run by host<BR />_time --&gt; _time</P><P>host1:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir</P><P>host2:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir</P><P>host3:<BR />_time : 00.00:00 - 00.15:00 --&gt; 15 min interval<BR />commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir</P><P>I need to write a search which will look at each 15 min time interval, within&nbsp; EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following</P><P>time interval -- host -- commands</P><P>Thanks for your help.</P> Sat, 01 May 2021 18:53:24 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550120#M156110 splunkerer 2021-05-01T18:53:24Z https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550123#M156112 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234050">@splunkerer</a>&nbsp;</P><P><EM>history</EM> is typically a built-in shell command, but assuming your log configuration captures all commands, including shell built-ins, you can use e.g.:</P><P>index=auditbeat<BR />| bin _time span=15m<BR />| stats values(<SPAN>command</SPAN>) as <SPAN>command&nbsp;</SPAN>by _time host<BR />| search <SPAN>command</SPAN>=whoami <SPAN>command</SPAN>=chroot <SPAN>command</SPAN>=history</P> Sat, 01 May 2021 21:37:43 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550123#M156112 tscroggins 2021-05-01T21:37:43Z https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550127#M156114 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a>&nbsp;</P><P><SPAN>"| search&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=whoami&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=chroot&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=history" this line is looking all these commands are available in a time span( in our example 15 min) rigth?</SPAN></P> Sat, 01 May 2021 23:03:45 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550127#M156114 splunkerer 2021-05-01T23:03:45Z https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550128#M156115 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234050">@splunkerer</a>&nbsp;</P><P>Effectively, yes.</P><P><SPAN>| bin _time span=15m</SPAN></P><P>The bin command converts every time value to the prior 15 minute boundary. E.g. 00:01:01 =&gt; 00:00:00, 00:17:30 =&gt; 00:15:00, 00:32:00 =&gt; 00:30:00, and 00:59:35 =&gt; 00:45:00.</P><P>Note that binning _time in this way does not produce a&nbsp;<EM>rolling</EM> 15 minute window. For example, if chroot is executed at 00:59:59.999999 and whoami is executed at 01:00:00.000000, the commands will be binned into <EM>separate</EM> 15 minute intervals.</P><P><SPAN>| stats values(</SPAN><SPAN>command</SPAN><SPAN>) as&nbsp;</SPAN><SPAN>command&nbsp;</SPAN><SPAN>by _time host</SPAN></P><P>The stats command uses the values function to aggregate all distinct&nbsp;<EM>command</EM> values by _time (now binned into 15 minute buckets) and host. The resulting&nbsp;<EM>command</EM> field will be&nbsp;<EM>multi-valued</EM>, i.e. it will have one or more simultaneous values.</P><P><SPAN>| search&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=whoami&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=chroot&nbsp;</SPAN><SPAN>command</SPAN><SPAN>=history</SPAN></P><P><SPAN>The search command looks for all events with&nbsp;<EM>command&nbsp;</EM>values of <EM>whoami</EM>, <EM>chroot</EM>, and <EM>history</EM>. Since&nbsp;<EM>command</EM> is now multi-valued, it can (and must) contain all of these values at the same time.</SPAN></P> Sat, 01 May 2021 23:56:50 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-events-from-a-specific-system-in-a-certain-time/m-p/550128#M156115 tscroggins 2021-05-01T23:56:50Z