topic Re: Identify a sequence of events on the consecutive change of value of a field in Splunk Search

Identify a sequence of events on the consecutive change of value of a field

vburgun — Wed, 28 Dec 2022 16:46:34 GMT

We index the accesses made on a filer. For each action on a file, events are generated and indexed in Splunk.

The copy of a file does not directly generate a "copy" event but the "Event.System.EventName" field consecutively takes the three values "Open Object", "Get Object Attributes", "Read Object".

This corresponds to three events in Splunk with no real common fields. How to build a query that would identify this consecutive sequence of events to alert us of a file copy ?

Maybe the streamstat command could be used but I can't figure out how.

Re: Identify a sequence of events on the consecutive change of value of a field

ITWhisperer — Thu, 29 Dec 2022 07:28:56 GMT

Try something like this

| streamstats window=3 list(event) as last3events | eval last3events=mvjoin(last3events,",") | where last3events == "Open,Get,Read"

Depending on the order of events for your initial search, you may either need to sort them, or look for "Read,Get,Open"

Re: Identify a sequence of events on the consecutive change of value of a field

vburgun — Thu, 29 Dec 2022 12:51:24 GMT

Hi,

Thanks for your help ! It's perfect !

It works for me