topic How to use the condition stanza in this spl query? in Splunk Search

How to use the condition stanza in this spl query?

AL3Z — Wed, 29 Mar 2023 16:06:30 GMT

Hi, I'm trying to find the alerts by user between the period of 2 hours like Alert1,Alert2 Here I need a spl query for this condition
* And one more condition spl is In bwtween 2hours if there is an alert for single user more than 3 times it should raise an alert.
Thanks.

Re: how to use the condition stanza in this spl query

richgalloway — Wed, 29 Mar 2023 12:50:16 GMT

What have you tried so far and what results did you get?

Re: how to use the condition stanza in this spl query

AL3Z — Wed, 29 Mar 2023 14:07:20 GMT

@richgalloway
Hi,
Use case :1

If the user triggers pdm and encrypt alerts both in a period of 2 hours it should raise an alert.

Use case:2

If the user triggers other than pdm in between 2 hours for single user more than 3 times it should raise an alert .

Thanks

Re: how to use the condition stanza in this spl query

AL3Z — Wed, 29 Mar 2023 18:34:09 GMT

@richgalloway

Please have a look on usecase snapshot once.

Re: how to use the condition stanza in this spl query

richgalloway — Wed, 29 Mar 2023 20:58:51 GMT

You have the searches so what is preventing you from saving them as alerts? Click "Save as" in the top-right corner of the search to make it into an alert.

Re: how to use the condition stanza in this spl query

AL3Z — Wed, 29 Mar 2023 23:54:33 GMT

@richgalloway

My aim is creating a correlation search..

Re: how to use the condition stanza in this spl query

richgalloway — Thu, 30 Mar 2023 13:27:20 GMT

In Enterprise Security, go to Configure->Content->Content Management then click the "Create New Content" button and select Correlation Search. Copy-and-paste your search from the S&R window into the Search box of the CS. Complete the rest of the CS form and click Save.

Re: how to use the condition stanza in this spl query

AL3Z — Thu, 30 Mar 2023 17:11:05 GMT

@richgalloway
what I'm trying to do is like

usecase1: alert_name!="*pdm*" by user

base search
--------------
| eval non_pdm_alert=if(alert_name!="*pdm*", 1, 0)
| sort _time
| streamstats count(non_pdm_alert) AS non_pdm_count by user time_window=2h
| where non_pdm_count>2

It is not giving desired output.

usecase 2: (alert_name="*PDM*" AND alert_name="*encrypted*")

base search

| eval both_alerts_triggered=if(alert_name="*pdm*" AND alert_name="*encrypted*", 1, 0)
| sort _time
| streamstats count(eval(both_alerts_triggered=1)) AS triggered_count by user time_window=2h
| where triggered_count>=2

Re: how to use the condition stanza in this spl query

richgalloway — Thu, 30 Mar 2023 19:06:59 GMT

I'm uncertain about what the ask. First you asked for alerts. Then you shared your searches and asked how to make them into correlation searches. Now you share more searches and say the output is not what is desired. Just what is desired? How are the existing searches not meeting expectations? What are those expectations?

Re: how to use the condition stanza in this spl query

AL3Z — Fri, 31 Mar 2023 01:14:16 GMT

Hi ,

@richgalloway

My ask is if the user triggers both the alerts i.e pdm and encrypted with in a span of 2 hours.

Other one is if the user triggers non pdm alerts with in a span of 2 hours is my requirement

Please edit the above search as per the usecase.

Thanks

Re: how to use the condition stanza in this spl query

richgalloway — Sun, 02 Apr 2023 14:53:51 GMT

Alerts are independent. There is no test for triggering more than one alert (unless you're using Enterprise Security). One alert would have to test for both (or more) conditions and trigger if all are met.