Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to make a query that will trigger when second query finds nothing?

intrach
Explorer
‎03-20-2022 10:52 PM

Hi,

I am a beginner in splunk and would like to ask if anyone can help me with creating a search or alert that would trigger if a certain condition 2 is not seen.

Example. 

first condition is if src_ip has event 1234 and event 2345 that is allowed in WAF,

then  second condition is to check if same src_ip does not have event 3456 in IPS.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 01:14 AM

Hi @intrach,

let me understand: what are the conditions for successful and blocked in waf?

it should be action=allowed and action=denied.

Then you don't want to trigger if the src_ip is in ips, is it correct?

If this is the condition, you could run something like this:

index=waf (src_ip="1234" OR src_ip="2345") (action=allowed OR action=denied) NOT [ search index=ips src="3456" | dedup src_ip | fields src_ip ]
| stats dc(action) AS dc_action BY src_ip
| where dc_action=2

If the above condition aren't the ones you need, please, describe your conditions to test.

Ciao.

Giuseppe

 

View solution in original post

Reply
Solved! Jump to solution

intrach
Explorer
‎03-21-2022 12:55 AM

Hi Thanks,

It just got a bit more complicated, so now this is the use case we want to  explore
a. Successful and blocked request from the same IP address in WAF
b. If the same IP in the WAF is blocked at the IPS, don’t alert


Any idea on this? Thank you so much

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 01:14 AM

Hi @intrach,

let me understand: what are the conditions for successful and blocked in waf?

it should be action=allowed and action=denied.

Then you don't want to trigger if the src_ip is in ips, is it correct?

If this is the condition, you could run something like this:

index=waf (src_ip="1234" OR src_ip="2345") (action=allowed OR action=denied) NOT [ search index=ips src="3456" | dedup src_ip | fields src_ip ]
| stats dc(action) AS dc_action BY src_ip
| where dc_action=2

If the above condition aren't the ones you need, please, describe your conditions to test.

Ciao.

Giuseppe

 

Reply
Solved! Jump to solution

intrach
Explorer
‎03-21-2022 01:26 AM

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 02:09 AM

Hi @intrach,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 12:45 AM

Hi @intrach,

if in the second search you have less than 50,000 results, you could use something like this:

index=waf (src_ip="1234" OR src_ip="2345") NOT [ search index=ips src="3456" | dedup src_ip | fields src_ip ]
| ...

if instead, you have more than 50,000 results in the second search, you have to use a different solution:

(index=waf (src_ip="1234" OR src_ip="2345")) OR (index=ips src="3456")
| stats dc(index9 AS dc_index values(index) AS index BY src_ip
| where dc_index=1 AND index=waf
| ...

if you need more fields using the second search, you can add them as values in the stats command.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...