I created correlation search by this guide:
https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/use-cases/detect-when-criti...
| metadata type=hosts
| lookup critical_systems Host_name as host OUTPUT Host_name as host
| search host=*
| eval last60=relative_time(now(),”-60m@m")
| convert ctime(lastTime) as LastTimeLogged
| where lastTime < last60
| table host, LastTimeLogged
| sort –LastTimeLogged
So, I tested it by lookup critical_systems where was working machines and machines that not sending logs near 2-3 days.
Was success trigger. But after a while the critical machine stopped sending logs - the correlation search did not work.
What can be problem?
Hi test_qweqwe,
why you don't use a different search:
| metasearch index=your_index
| eval host=upper(host)
| stats count by host
| append [ | inputlookup critical_systems | eval host=upper(Host_name), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0
So hosts where Total>0 are OK hosts where Total=0 are missed.
Bye.
Giuseppe
Hi test_qweqwe,
why you don't use a different search:
| metasearch index=your_index
| eval host=upper(host)
| stats count by host
| append [ | inputlookup critical_systems | eval host=upper(Host_name), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0
So hosts where Total>0 are OK hosts where Total=0 are missed.
Bye.
Giuseppe
The fact that it was not detected means that the log was being sent.
How about adding conditions to target only the necessary logs?
ex.
| metadata type=hosts index=your_index