Alerting

Alerts - how to show transactions that occurred before alert triggered

Path Finder

I need to create an alert that does two things (1) triggers if a "fraud" flag is set to TRUE and (2) show ONLY the transactions from that site regardless of if the fraud flag was set or not. Basically what people want to see if the behavior that happened that led up to and including the fraud flag being set.

For scenario 1, I have the alert trigged on fraud=TRUE. Works fine. For the 2nd part, I thought I could do a look back of 30 minutes, however we have 8000+ locations so I cant just dump the preceding 30 minutes of transactions as that is too much noise.

Application log data looks like this (simplified and hopefully formatted legibly)

Date        Time         Site   Amount      Fraud_Flag
03-09-18    13:21:05       12345    50.00       FALSE
03-09-18    13:21:15       00313    50.00       FALSE
03-09-18    13:21:25       12345    99.00       FALSE
03-09-18    13:21:35       12345    85.00       FALSE
03-09-18    13:21:45       12345    50.00       FALSE
03-09-18    13:21:50       00313    65.00       FALSE
03-09-18    13:21:51       00313    54.00       FALSE
03-09-18    13:21:52       00313    51.00       FALSE
03-09-18    13:21:53       12345    50.00       FALSE
03-09-18    13:21:54       00313    25.00       TRUE

So what happens now is the alert trips at the 13:21:54 entry (site 313) and sends a fraud alert with just that one line out to the teams. What I want is to be able to also get the last 30 minutes of transactions for just the site for which the alert was triggered.

I thought about doing an appendcols but what is stopping me is not knowing how to pass just the one site number.

0 Karma
1 Solution

Path Finder

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

View solution in original post

0 Karma

Path Finder

I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.

Here is my sanitized search:

index=Sites sourcetype=metrics category=transaction earliest=-10m  fraud_trigger="true"  
| stats count by  site_number fraud_trigger
| fillnull value="" site_number
| map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id  | sort Time"

The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.

View solution in original post

0 Karma

Communicator

Hi randy_moore,

You can try this.

earliest=-30m  <Base search> | where [search earliest=-5m <Base search> | where Fraud_Flag == "TRUE" | return 10000 Site] | table Date Time Site Amount Fraud_Flag
0 Karma

Motivator

you might be able to put your alert criteria in a subsearch that returns the site # and the true flag

0 Karma