topic Re: Returning results only if field has more than one unique name in Splunk Search

Returning results only if field has more than one unique name

santorof — Tue, 29 Sep 2020 08:02:42 GMT

I am looking to create a unique alert that would look at virus activity. The idea is to get a real time alert in a 60 second window if the field signature is reoccurring across two separate logs that both have different (computer_name) which could signal an outbreak possibly.

signature is the indicator of what type of virus it is and computer_name is the comp name.
This is the general idea: ...| bucket _time span=1m | dedup signature | (Only return results if computer_name has different results) | count >2

I cant seem to figure out a splunk command to only return results if the computer_name field does not have a unique specific name. I know I could utilize != but not sure what command would help me with this.

Re: Returning results only if field has more than one unique name

richgalloway — Fri, 27 Nov 2015 20:44:55 GMT

How about something like this.

...| bucket _time span=1m | stats count(computer_name) as computerCount by signature | where computerCount > 2 | ...

Re: Returning results only if field has more than one unique name

santorof — Fri, 27 Nov 2015 21:23:01 GMT

Not sure if it works. Its saying there are events but no results are being outputted

Re: Returning results only if field has more than one unique name

richgalloway — Sat, 28 Nov 2015 00:51:22 GMT

Try my modified answer.

Re: Returning results only if field has more than one unique name

santorof — Wed, 02 Dec 2015 13:57:22 GMT

The logic makes sense but Splunk says I have 8 results but nothing being outputted. Just running a basic query against the source type I have the same amount of events in a given period as what the alert is telling me

Re: Returning results only if field has more than one unique name

richgalloway — Wed, 02 Dec 2015 18:05:32 GMT

If you add table computer_name computerCount after the where command, do you see output? Do you see events in Verbose Mode?

Re: Returning results only if field has more than one unique name

santorof — Fri, 04 Dec 2015 14:47:30 GMT

I get a count of computers but nothing on the left hand side under computer_name

Re: Returning results only if field has more than one unique name

richgalloway — Fri, 04 Dec 2015 14:58:07 GMT

Try changing the stats command to stats values(computer_name) as Computers count(computer_name) as computerCount by signature.

Re: Returning results only if field has more than one unique name

santorof — Fri, 04 Dec 2015 16:19:26 GMT

Seems I have solid output. Over a given 24 hours I have 4 different signatures where each signature has multiple computers and on the right hand side is a total count. What seems weird is if there are only 2 computers for one signature the total computer count is 15. This probably means 15 total events in-between those two 2 computers.

What I am seeing though is one signature for one computer. I should only be seeing output if there are a total of two computers found for that signature. computerCount >2 should be taking care of that it seems.

Edit: Just noticed computerCount >2 will activate if one computer pops up multiple times in a 60 second window

Re: Returning results only if field has more than one unique name

santorof — Fri, 04 Dec 2015 20:38:42 GMT

Got it. Verified the results and im good to go. Thanks!