I need to create an alert that does two things (1) triggers if a "fraud" flag is set to TRUE and (2) show ONLY the transactions from that site regardless of if the fraud flag was set or not. Basically what people want to see if the behavior that happened that led up to and including the fraud flag being set.
For scenario 1, I have the alert trigged on fraud=TRUE. Works fine. For the 2nd part, I thought I could do a look back of 30 minutes, however we have 8000+ locations so I cant just dump the preceding 30 minutes of transactions as that is too much noise.
Application log data looks like this (simplified and hopefully formatted legibly)
Date Time Site Amount Fraud_Flag 03-09-18 13:21:05 12345 50.00 FALSE 03-09-18 13:21:15 00313 50.00 FALSE 03-09-18 13:21:25 12345 99.00 FALSE 03-09-18 13:21:35 12345 85.00 FALSE 03-09-18 13:21:45 12345 50.00 FALSE 03-09-18 13:21:50 00313 65.00 FALSE 03-09-18 13:21:51 00313 54.00 FALSE 03-09-18 13:21:52 00313 51.00 FALSE 03-09-18 13:21:53 12345 50.00 FALSE 03-09-18 13:21:54 00313 25.00 TRUE
So what happens now is the alert trips at the 13:21:54 entry (site 313) and sends a fraud alert with just that one line out to the teams. What I want is to be able to also get the last 30 minutes of transactions for just the site for which the alert was triggered.
I thought about doing an appendcols but what is stopping me is not knowing how to pass just the one site number.
you might be able to put your alert criteria in a subsearch that returns the site # and the true flag
You can try this.
earliest=-30m <Base search> | where [search earliest=-5m <Base search> | where Fraud_Flag == "TRUE" | return 10000 Site] | table Date Time Site Amount Fraud_Flag
I used the "map" command to get what I needed Not sure how efficient that is to do so.
When talking with the stakeholders and showing them what they could get out of the search they actually wanted me to go back two hours.
Here is my sanitized search:
index=Sites sourcetype=metrics category=transaction earliest=-10m fraud_trigger="true" | stats count by site_number fraud_trigger | fillnull value="" site_number | map maxsearches=1 search="search index=Sites sourcetype=metrics category=transaction earliest=-2h site_number=$site_number$ | `Date_and_Time`| table Date Time site_number endpoint fraud_trigger auth_source amount tran_id | sort Time"
The 1st line is just looking back 10 minutes for the fraud trigger being set
2nd line is self-explanatory
3rd line is there if there were no results from the stats
4th line does the heavy lifting. It looks back 2 hours from the trigger time for only the site number where the fraud is happening by taking the site_number from the preceeding search and using it in the map command. It them formats the date and time into something readable and then displays the needed data elements.