- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Creating a particular custom condition for creatin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lets say i have a set of log events like this in the search app of splunk:
Thu Apr 26 09:39:22 SGT 2012 INFO no = 1 time = 0.000000 src = 164.124.33.78 dest = 192.168.0.1 protocol = TCP length = 54 info = "35165 > 80 [SYN] Seq=0 Win=16384 Len=0 "
Thu Apr 26 09:39:22 SGT 2012 INFO no = 2 time = 0.000001 src = 38.198.26.9 dest = 192.168.0.1 protocol = TCP length = 54 info = "14378 > 80 [SYN] Seq=0 Win=16384 Len=0 "
Thu Apr 26 09:39:22 SGT 2012 INFO no = 3 time = 0.000003 src = 132.212.36.201 dest = 192.168.0.1 protocol = TCP length = 54 info = "31944 > 80 [SYN] Seq=0 Win=16384 Len=0 "
I clicked the create button > alert . Then i chose "monitor in real time over a rolling window of.." the under tigger if i select "custom condition is set" fom the drop down menu. I would like to create the alert that would be triggered when the custom condition is set.
I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP, the same dest field values and the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times.
The question is how do i create the custom condition so that the custom condition would statisfy the above conditions(in bold) i mentioned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sounds like you could use transaction for that:
protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20
The transaction command will combine all the events into one and the last command will restrict the search to show the transactions with 20 or more results.
Then set the condition to "Number of events is greater than 0"
HTH!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sounds like you could use transaction for that:
protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20
The transaction command will combine all the events into one and the last command will restrict the search to show the transactions with 20 or more results.
Then set the condition to "Number of events is greater than 0"
HTH!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i asked again because i thought my question wasn't clear enough.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another option for the search condition could be "if custom condition is met" and for the custom condition "eventcount >= 20".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To elaborate further, the search will take all the events with protocol="TCP", then show only those that contain "SYN" in their info field, group them together so they have the same dest field and finally leave out those groups with less than 20 events.
The group will show as only 1 result, although the group contains 20 or more event. Therefore the alert condition only needs to find 1 or more results. (Which means "is greater than 0", of course. Now corrected in my answer.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aha! So to clarify: when you say consecutive, you mean that if there is any event between the first and the second event, then it doesn't apply? I'm not sure if transaction can do this and I'm not sure how you would do it in the search language.
But to clarify: the | does not mean OR, it is more akin to the command piping in e.g. unix or windows command line. The transaction dest command will group only such events that have the same dest field. The last search eventcount>= 20 will require that such a group has at least 20 events in it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, i beg your pardon. What i mean is I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP AND the same dest field values AND the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times. Is it going to be the same search stmt? or replace | with &&?? I just need to clarify.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer.
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
