Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Custom condition for creating a particular alert

misteryuku
Communicator
‎05-20-2012 08:19 PM

Lets say I have Splunk that monitors a log file that contains two log messages that look like this :

Tue Mar 06 07:41:28 SGT 2012 no = 8 time = 30.614993 src = 10.1.1.1 dest = 129.111.30.27 protocol = IPv4 length = 70 info = "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2) "

Tue Mar 06 07:41:29 SGT 2012 no = 9 time = 30.615348 src = 10.1.1.1 dest = 129.111.30.27 protocol = UDP length = 38 info = "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] "

I would like to have the ALERT triggered in real time whenever Splunk detects these two messages that contains the same src field value same dest field value and info that contains this value "Fragmented IP protocol (proto=UDP 0x11, off=0, ID=00f2)" and info that contains "Source port: 31915 Destination port: 20197 [BAD UDP LENGTH 36 > IP PAYLOAD LENGTH] "

What would be the custom condition ?

Tags (3)
0 Karma
Reply

Ayn
Legend
‎05-21-2012 11:30 PM

Use transaction and search for transactions that meet your criteria. Assuming your fields are called src and dest (change otherwise) and you're only interested if the two events occur within 5 seconds:

... | transaction maxspan=5s src dest | search "Fragmented IP protocol" AND "BAD UDP LENGTH"

Then just create an alert that triggers wherever this search yields a match.

NOTE that in search I didn't match on the complete strings you mentioned, because I imagine parameters like the source port, UDP ID, UDP length etc will vary.

Reply

misteryuku
Communicator
‎05-22-2012 01:50 AM

okay. I understand

0 Karma
Reply

Ayn
Legend
‎05-22-2012 01:29 AM

That's what the transaction command does - it combines events that share the same values for src and dst.

0 Karma
Reply

misteryuku
Communicator
‎05-22-2012 01:25 AM

I also need another citeria, the src field values and the dest field values are the same for the two log messages. How to combine the two citerias to the search expression that you stated above?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...