https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601652#M209392 <P>Can you not use the eventcount returned with each transaction event to determine if an attack is ongoing?</P> Tue, 14 Jun 2022 06:33:23 GMT ITWhisperer 2022-06-14T06:33:23Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601649#M209389 <P>Hello,&nbsp; &nbsp;Is there a way to use transaction command to let us know if an activity/attack is ongoing ?<BR />Scenario :&nbsp; Create a search that detects ongoing DDOS activity</P><P>I have the following search that will detect DOS activity events and track them using transaction.&nbsp; I see there is a <STRONG>maxspan</STRONG> option available but there is no <STRONG>minspan</STRONG> .&nbsp; &nbsp;Even if i schedule this to run <STRONG>every 1h,</STRONG> the <STRONG>maxspan</STRONG> will show those results that are less than 1h too.&nbsp; Since there is no <STRONG>minspan</STRONG> option, how to make it detect an ongoing activity ?&nbsp; Hope i am clear</P><P><BR />My search:</P><P>&nbsp;</P><LI-CODE lang="markup">index=arbor ... | transaction eventID startswith=starting endswith=end maxspan=1h | eval starttime = _time | eval duration = "Ongoing" | convert ctime(starttime) | table starttime, duration, condition</LI-CODE><P>&nbsp;</P><P><BR />Maybe my above approach is wrong. How else can we accomplish this?<BR /><BR />&nbsp;</P> Tue, 14 Jun 2022 06:26:16 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601649#M209389 neerajs_81 2022-06-14T06:26:16Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601652#M209392 <P>Can you not use the eventcount returned with each transaction event to determine if an attack is ongoing?</P> Tue, 14 Jun 2022 06:33:23 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601652#M209392 ITWhisperer 2022-06-14T06:33:23Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601666#M209395 <P>Ok. Let me check.&nbsp; Should i check for something like&nbsp; isnull(EventCount) or isNOTnull(EventCount)&nbsp; to determine transaction is on going ?<BR /><BR /></P> Tue, 14 Jun 2022 07:08:27 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601666#M209395 neerajs_81 2022-06-14T07:08:27Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601669#M209397 <P>The transaction command processes the events in the pipeline. What I am suggesting is that the number of events in the transaction might tell you whether there is an attack (within the transaction). To see if it is "ongoing" you could look for the latest timestamp in the transaction and compare it to the current time?</P> Tue, 14 Jun 2022 07:40:36 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601669#M209397 ITWhisperer 2022-06-14T07:40:36Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601841#M209458 <P>i am trying to do what you suggested, look at the latest timestamp ( as in the last timestamp) in the "transaction" and compare with current time but its not working out. Can you pls advise where i am going wrong in the below search ?<BR /><BR />The transaction results have multiple events within each one, and there is a field called <STRONG>datetime</STRONG> which is multi value field and it has values of timestamps of all different events in that transaction.&nbsp; I am using mvindex to capture the "last" value from this datetime array.&nbsp; That will give me the last as in latest timestamp of that activity.&nbsp;&nbsp;<BR /><BR />I checked under "Interesting fields" in Splunk ,&nbsp; the DT field values are correctly showing up.&nbsp; But the "<STRONG>LastSeenEventTime</STRONG>" is not getting created.&nbsp; Any suggestions why ?&nbsp; I am converting <STRONG>DT</STRONG> into epoch time and saving that a <STRONG>LastSeenEventTime</STRONG> . Then i am comparing with <STRONG>now</STRONG>() field to achieve the use case.&nbsp;&nbsp;<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">| eval DT =mvindex(datetime,-1) | eval LastSeenEventTime = strptime(DT, "%m-%d-%Y %H:%M:%S") | table eventcount logtype, eventID, status, eventType, severity | where DT = now()</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1655278259840.png" style="width: 436px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20104iA83AA6EF816C8B51/image-dimensions/436x159?v=v2" width="436" height="159" role="button" title="neerajs_81_0-1655278259840.png" alt="neerajs_81_0-1655278259840.png" /></span></P><P>&nbsp;</P> Wed, 15 Jun 2022 07:31:12 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601841#M209458 neerajs_81 2022-06-15T07:31:12Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601848#M209462 <P>LastSeenEventTime and DT do not appear in your table command so are not available beyond this point. Could this be your issue?</P> Wed, 15 Jun 2022 08:03:47 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601848#M209462 ITWhisperer 2022-06-15T08:03:47Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601867#M209471 <P>No, not really. Even if i include them in table command,&nbsp; the table view returns &lt;empty&gt;<BR />Couple of questions:<BR />1. Is this the right way to compare/check against the current time&nbsp; -&nbsp; &nbsp;<STRONG>| where DT = now()</STRONG></P><P>&nbsp;2. As per my screenshot you will see the datetime field has values in this format: &nbsp;<STRONG>2022-06-15 16:15:21+08:00<BR /><BR /></STRONG>So if i am doing a | eval LastSeenEventTime = strptime(DT, <STRONG>"%Y-%m-%d %H:%M:%S") , </STRONG>is this correct?&nbsp; The +08:00 is not accounted for in the time format.</P> Wed, 15 Jun 2022 09:16:26 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601867#M209471 neerajs_81 2022-06-15T09:16:26Z https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601888#M209481 <P>1. Comparing to now() is unlikely to get a hit. The timestamps you are comparing are from the events, which will have been logged, then ingested and indexed, all of which takes time, so they are unlikely to be instant i.e. they won't match now(). You would probably be better considering the difference between now() and DT and see if it is close (by whatever you consider to be close, taking into account the lag time between the event being logged and it being available in the index).</P><P>2. For the time format to take timezone into account, you need to add it to parsing string</P><LI-CODE lang="markup">| eval LastSeenEventTime = strptime(DT, "%Y-%m-%d %H:%M:%S %:z")</LI-CODE> Wed, 15 Jun 2022 10:05:33 GMT https://community.splunk.com/t5/Splunk-Search/ES-Use-case-How-to-detect-an-ongoing-activity-using-Transaction/m-p/601888#M209481 ITWhisperer 2022-06-15T10:05:33Z