Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alerts - how to show transactions that occurred before alert triggered

randy_moore
Path Finder
‎03-09-2018 01:00 PM

I need to create an alert that does two things (1) triggers if a "fraud" flag is set to TRUE and (2) show ONLY the transactions from that site regardless of if the fraud flag was set or not. Basically what people want to see if the behavior that happened that led up to and including the fraud flag being set.

For scenario 1, I have the alert trigged on fraud=TRUE. Works fine. For the 2nd part, I thought I could do a look back of 30 minutes, however we have 8000+ locations so I cant just dump the preceding 30 minutes of transactions as that is too much noise.

Application log data looks like this (simplified and hopefully formatted legibly)

Date        Time         Site   Amount      Fraud_Flag
03-09-18    13:21:05       12345    50.00       FALSE
03-09-18    13:21:15       00313    50.00       FALSE
03-09-18    13:21:25       12345    99.00       FALSE
03-09-18    13:21:35       12345    85.00       FALSE
03-09-18    13:21:45       12345    50.00       FALSE
03-09-18    13:21:50       00313    65.00       FALSE
03-09-18    13:21:51       00313    54.00       FALSE
03-09-18    13:21:52       00313    51.00       FALSE
03-09-18    13:21:53       12345    50.00       FALSE
03-09-18    13:21:54       00313    25.00       TRUE

So what happens now is the alert trips at the 13:21:54 entry (site 313) and sends a fraud alert with just that one line out to the teams. What I want is to be able to also get the last 30 minutes of transactions for just the site for which the alert was triggered.

I thought about doing an appendcols but what is stopping me is not knowing how to pass just the one site number.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

randy_moore
Path Finder
‎03-10-2018 11:10 AM

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

randy_moore
Path Finder
‎03-10-2018 11:10 AM

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

0 Karma
Reply
Solved! Jump to solution

anjambha
Communicator
‎03-09-2018 11:02 PM

Hi randy_moore,

You can try this.

earliest=-30m  <Base search> | where [search earliest=-5m <Base search> | where Fraud_Flag == "TRUE" | return 10000 Site] | table Date Time Site Amount Fraud_Flag
0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎03-09-2018 01:17 PM

you might be able to put your alert criteria in a subsearch that returns the site # and the true flag

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...