topic How can i search 1 host at a time when index hits a number of hosts. in Splunk Search

How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76 — Wed, 02 Feb 2022 18:33:51 GMT

I have an index which searches across 10 hosts. I am comparing 2 strings and evaluating the results to see if there is an issue that needs alerting. The results are being messed up as its evaluating the 2 strings from 2 different boxes - ie string1 on hostA against string2 on hostB. It should be string1 on host1 against string2 on host1. Then go to host2 , host3 ..... host10.

How can i get my search to either sequentionally go through each host or have the results group by host to not show results that have come from 2 diff hosts.

current logic is:

index="abc" "string1 OR string2" | transaction startswith="string1" endswith="string2" | where count>2

Re: How can i search 1 host at a time when index hits a number of hosts.

isoutamo — Wed, 02 Feb 2022 21:15:37 GMT

Can you post sample events to understand your needs?

Re: How can i search 1 host at a time when index hits a number of hosts.

gcusello — Thu, 03 Feb 2022 07:16:31 GMT

Hi @HelloItsMe76,

let me understand:

you want to check if there's a group of hosts (at least 2 or more) where there are both the strings, is this correct?

please try something like this:

Ciao.

Giuseppe

Re: How can i search 1 host at a time when index hits a number of hosts.

HelloItsMe76 — Thu, 03 Feb 2022 16:37:25 GMT

Thanks for the reply..

one small update to my original post is that it should read "duration > 2" at the end.

to clarify - both strings will appear in all the 10 hosts. at the moment my search is comparing strings from different hosts, it should not do that. I understand i can create 10 alerts (1 for each host), but i would like to find a more efficient way and do it in 1 alert. So i am looking to go through each host in the source / index and evaluate string1 vs string2 on host1, then go to host2 and so on up to host10.

Re: How can i search 1 host at a time when index hits a number of hosts.

gcusello — Thu, 03 Feb 2022 17:15:34 GMT

Hi @HelloItsMe76,

if you need also to check duration, you have to modify the search, something like this:

index="abc" "string1 OR string2" | eval string=if(searchmatch("string1"),"String1","String2") | stats dc(host) AS dc_host values(host) AS host dc(string) AS dc_string earliest(_time) AS earliest latest(_time) AS latest | eval duration=latest-earliest | where dc_host>1 AND dc_string>1 AND duration>2 | mvexpand host | table host

Ciao.

Giuseppe