topic Re: Using Eval to find the usecase in Splunk Search

How to use eval to find the usecase?

AL3Z — Tue, 04 Apr 2023 10:32:06 GMT

Hi,
Could any one able to write the query for the use case if user triggers both alerts (alert_name="*pdm*" AND alert_name="*encrypted*") in between 2 hours

another use case is alertname!="*pdm*" if user triggers other than pdm alert in between 2 hours

need a query for above use cases
thanks...

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 07:13:05 GMT

You could start by counting the alerts by user over a two hour period

| stats count by user alert_name

Then classify the alerts

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm") | chart count by user alert_type | where (pdm > 0 AND encrypted > 0) OR notpdm > 1

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 07:37:22 GMT

@ITWhisperer

Hi, Could you please make search seperate as per the use case instead of all in one search

1.Use case alert_name= "*pdm*" AND alert_name="*encrypted*"

Both alerts in between 2 hours.

2. Use case alertname!="*pdm*"

Between 2 hours of period.

Thanks

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 08:10:56 GMT

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm") | chart count by user alert_type | where pdm > 0 AND encrypted > 0

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm") | chart count by user alert_type | where notpdm > 1

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 08:36:26 GMT

@ITWhisperer

Second use case is like alert_ name other than pdm, dnt mention encrypted,we are not interested in encrypted alert_name in second search.

Alert_ name!= "*pdm*"

Here we are using *pdm* coz to find the similar word pdm in alert_name

Pls remove encrypted from query it is different alert type ,

Only need alert_name !="*pdm*"

Thanks

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 08:48:56 GMT

It is a simple change - you could have done it yourself?

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm") | chart count by user alert_type | where notpdm > 1

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 10:13:54 GMT

@ITWhisperer
Could you pls check why this query is not listing all the stats fields in the output
index=es sourcetype=alert (alert_name!="*PDM*")
| stats earliest(_time) as incident_time,
values(severity) as severity,
values(action) as action,
values(file_type) as file_type,
values(exposure) as exposure,
values(url) as url,
values(device) as device
by user,alert_name
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 10:15:48 GMT

Try it this way

index=es sourcetype=alert NOT (alert_name="*PDM*")

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 10:24:35 GMT

@ITWhisperer

Why still it is not listing out the stats fields mentioned ? What could be the reason

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 10:27:54 GMT

The chart command has two dimensions - in your case, these are user, and alert_type, against which there is a count.

If you want more fields, don't use chart.

What are you attempting to show?

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 12:16:12 GMT

@ITWhisperer ,

Other fields as well like dlprule,filetype,incidentime

Re: Using Eval to find the usecase

AL3Z — Fri, 31 Mar 2023 13:45:32 GMT

@ITWhisperer ,

Hi,

In this search you didn't mention any time interval like the period of two hours

When the user triggers the non pdm alerts in between 2 hours of time

Re: Using Eval to find the usecase

ITWhisperer — Fri, 31 Mar 2023 14:03:43 GMT

Don't use chart!

Try with eventstats

| eventstats count by user alert_type | where alert_type=="notpdm" AND count > 1

Re: Using Eval to find the usecase

AL3Z — Mon, 03 Apr 2023 17:49:51 GMT

@ITWhisperer ,

Pls could you make the search in between 2 hours more than 3 times if user triggers alert other than pdm

Thanks

Re: Using Eval to find the usecase

ITWhisperer — Tue, 04 Apr 2023 07:45:50 GMT

Change the timeframe of the search to be the time period you want.