Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Custom condition for creating a particular alert

misteryuku
Communicator
‎05-20-2012 08:19 PM

Lets say I have Splunk that monitors a log file that contains two log messages that look like this :

Tue Mar 06 07:41:28 SGT 2012 no = 8 time = 30.614993 src = 10.1.1.1 dest = 129.111.30.27 protocol = IPv4 length = 70 info = "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2) "

Tue Mar 06 07:41:29 SGT 2012 no = 9 time = 30.615348 src = 10.1.1.1 dest = 129.111.30.27 protocol = UDP length = 38 info = "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] "

I would like to have the ALERT triggered in real time whenever Splunk detects these two messages that contains the same src field value same dest field value and info that contains this value "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2)" and info that contains "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] "

What would be the custom condition ?

Tags (3)
0 Karma
Reply

Ayn
Legend
‎05-21-2012 11:30 PM

Use transaction and search for transactions that meet your criteria. Assuming your fields are called src and dest (change otherwise) and you're only interested if the two events occur within 5 seconds:

... | transaction maxspan=5s src dest | search "Fragmented IP protocol" AND "BAD UDP LENGTH"

Then just create an alert that triggers wherever this search yields a match.

NOTE that in search I didn't match on the complete strings you mentioned, because I imagine parameters like the source port, UDP ID, UDP length etc will vary.

Reply

misteryuku
Communicator
‎05-22-2012 01:50 AM

okay. I understand

0 Karma
Reply

Ayn
Legend
‎05-22-2012 01:29 AM

That's what the transaction command does - it combines events that share the same values for src and dst.

0 Karma
Reply

misteryuku
Communicator
‎05-22-2012 01:25 AM

I also need another citeria, the src field values and the dest field values are the same for the two log messages. How to combine the two citerias to the search expression that you stated above?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...