Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search and Alert on an event that has never been seen before ?

the_wolverine
Champion
‎12-07-2010 07:17 PM

I'm trying to set up Splunk to detect anomalies. An example would be searching on DHCP logs for a new MAC Address. Is there an example of a workflow that would allow me to do this?

0 Karma
Reply

prelert
Path Finder
‎09-02-2014 09:07 AM

An approach would be to statistical model the rarity of a host value in time. For example, if normal host values occurred on an hourly basis, a rare host value would be one that occurred significantly less frequently that 'normal' host values.

host=* | prelertautodetect rare by host

would satisfy this requirement, and can be easily operationalised in real-time to avoid the scale issues above.

0 Karma
Reply

maverick
Splunk Employee
Splunk Employee
‎06-14-2011 08:33 AM

One way would be to nest a sub search within a parent search, where the sub search finds all MAC Address values from a previous time range and then the parent search finds all MAC address that are NOT in the current hour time range.

As an example, here is how you could do this technique with the host field, where you want to know which hosts are showing up in events today that were NOT showing up yesterday:

host=* earliest=-24h NOT [search host=* earliest=-48h latest=-24h | dedup host | table host]

0 Karma
Reply

the_wolverine
Champion
‎06-23-2011 02:23 PM

Thanks, Maverick. Unfortunately, it seems like a very expensive search having to search across all our data because its for anomaly detection; we'd want to be alerted close to real-time so we'd have to run this frequently.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...