Alerting

Creating a particular custom condition for creating alerts that monitor matching results in real time within a rolling window

misteryuku
Communicator

Lets say i have a set of log events like this in the search app of splunk:

Thu Apr 26 09:39:22 SGT 2012 INFO no = 1 time = 0.000000 src = 164.124.33.78 dest = 192.168.0.1 protocol = TCP length = 54 info = "35165 > 80 [SYN] Seq=0 Win=16384 Len=0 "

Thu Apr 26 09:39:22 SGT 2012 INFO no = 2 time = 0.000001 src = 38.198.26.9 dest = 192.168.0.1 protocol = TCP length = 54 info = "14378 > 80 [SYN] Seq=0 Win=16384 Len=0 "

Thu Apr 26 09:39:22 SGT 2012 INFO no = 3 time = 0.000003 src = 132.212.36.201 dest = 192.168.0.1 protocol = TCP length = 54 info = "31944 > 80 [SYN] Seq=0 Win=16384 Len=0 "

I clicked the create button > alert . Then i chose "monitor in real time over a rolling window of.." the under tigger if i select "custom condition is set" fom the drop down menu. I would like to create the alert that would be triggered when the custom condition is set.

I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP, the same dest field values and the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times.

The question is how do i create the custom condition so that the custom condition would statisfy the above conditions(in bold) i mentioned.

1 Solution

echalex
Builder

Hi,
Sounds like you could use transaction for that:

protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20

The transaction command will combine all the events into one and the last command will restrict the search to show the transactions with 20 or more results.

Then set the condition to "Number of events is greater than 0"

HTH!

View solution in original post

echalex
Builder

Hi,
Sounds like you could use transaction for that:

protocol="TCP" |where match(info, "SYN") |transaction dest |search eventcount>=20

The transaction command will combine all the events into one and the last command will restrict the search to show the transactions with 20 or more results.

Then set the condition to "Number of events is greater than 0"

HTH!

misteryuku
Communicator

i asked again because i thought my question wasn't clear enough.

0 Karma

echalex
Builder

Another option for the search condition could be "if custom condition is met" and for the custom condition "eventcount >= 20".

0 Karma

echalex
Builder

To elaborate further, the search will take all the events with protocol="TCP", then show only those that contain "SYN" in their info field, group them together so they have the same dest field and finally leave out those groups with less than 20 events.

The group will show as only 1 result, although the group contains 20 or more event. Therefore the alert condition only needs to find 1 or more results. (Which means "is greater than 0", of course. Now corrected in my answer.)

0 Karma

echalex
Builder

Aha! So to clarify: when you say consecutive, you mean that if there is any event between the first and the second event, then it doesn't apply? I'm not sure if transaction can do this and I'm not sure how you would do it in the search language.

But to clarify: the | does not mean OR, it is more akin to the command piping in e.g. unix or windows command line. The transaction dest command will group only such events that have the same dest field. The last search eventcount>= 20 will require that such a group has at least 20 events in it.

0 Karma

misteryuku
Communicator

Sorry, i beg your pardon. What i mean is I would like this kind of alert to be triggered whenever the CONSECUTIVE log events contains the protocol = TCP AND the same dest field values AND the info field contains the word "SYN" eg. trigger the alert whenever the above conditions(in bold) i mentioned appear more than 20 times. Is it going to be the same search stmt? or replace | with &&?? I just need to clarify.

0 Karma

misteryuku
Communicator

Thanks for the answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...