topic Re: splunk query for consecutive event in less than 5 s window in Splunk Search

splunk query for consecutive event in less than 5 s window

maniishpawar — Mon, 02 Jul 2018 13:16:33 GMT

Hi
I am trying to write a query to detect IIS start stop event 3201 and 3202 respectively.
I wanted to create a query that can check these two events and if they do not fall through in 5s gap, then generate an alert.
For ex

12:00:01 3201 logged
12:00:02 3230 logged
for this no alert should be generated.

12:00:10 3201 logged
12:00:15 1234 logged
12:00:20 3202 logged
for this there should be an alert as the difference is more than 5s.

Re: splunk query for consecutive event in less than 5 s window

maniishpawar — Tue, 29 Sep 2020 20:14:20 GMT

after going through online. I came up with something below. Can someone please suggest if this will work or if this the correct answer .
Will be more than happy to have alternatives.

index=* cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"

| streamstats time_window=5s sum(EventCode) as Previous_Event by cloudServiceName | search Previous_Event>6401

Re: splunk query for consecutive event in less than 5 s window

maniishpawar — Tue, 03 Jul 2018 16:26:25 GMT

Any one has any suggestions/comments ?

Re: splunk query for consecutive event in less than 5 s window

DalJeanis — Tue, 03 Jul 2018 17:31:14 GMT

@maniishpawar -

You are heading in the right direction... streamstats is the right tool for this. However, you don't want to use sum().

First, you need to get all the events that you need, and throw out any that aren't relevant to your question. Then, you need to copy the information forward from the 3201 to the 3202 record. Finally, you need to test whether the difference is more than five seconds.

 your search that gets all the 3201 and 3202 events, with fields  _time, EventCode and cloudServiceName
| sort 0 cloudServiceName _time 
| eval startTime = case(EventCode==3201,_time)
| streamstats current=f last(startTime) as prevStartTime by cloudServiceName 
| eval duration=_time - prevStartTime
| where EventCode=3202 AND duration >5

Here we take advantage of the assumption that the event immediately before a 3202 must be the paired 3201. If you might have multiple of either, then use the next version.

Re: splunk query for consecutive event in less than 5 s window

DalJeanis — Tue, 03 Jul 2018 17:38:16 GMT

If you also want to test for stop records without start records and vice versa, it is going to need to be slightly more complex.

 your search that gets all the 3201 and 3202 events, with fields  _time, EventCode and cloudServiceName
 | sort 0 cloudServiceName _time 
 | eval startTime = case(EventCode==3201,_time)
 | streamstats count(startTime) as startSequence by cloudServiceName 
 | eval startSequence = coalesce(startSequence,0)
 | stats range(_time) as duration min(_time) as _time list(EventCode) as EventCode by cloudServiceName startSequence
 | where mvcount(EventCode)<2 OR  mvcount(EventCode)>2  OR duration >5

Re: splunk query for consecutive event in less than 5 s window

maniishpawar — Thu, 05 Jul 2018 15:44:27 GMT

Thank you for the answer. Can you please help me understand the second solution.

Re: splunk query for consecutive event in less than 5 s window

woodcock — Mon, 16 Jul 2018 00:49:09 GMT

Like this:

index=AlwaysSpecifyAnIndex cloudServiceName="onref*cls*" "SourceName=Microsoft-Windows-IIS-IISReset"
| streamstasts count(eval(EventCode=="3202")) AS SessionID
| stats range(_time) AS sessionSeconds BY sessionID
| where sessionSeconds > 5