- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: How do I group events from three rules by the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a tool that generates three different alerts (alert1, alert 2, alert3). In these alerts, it records the username (parsed out via rex). I am having trouble correlating events when all three alerts contain the same username within a 7 day period. Ideally, I would like to create a dashboard that shows me how many times a username has been observed in alert1, alert2, and alert3 (not in each alert, but in all 3).
Which commands should I be looking at to show me when the username in alert1 = alert2 = alert3 ?
Current search query
index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | unknown_query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been pouring over another post that you answered regarding streamstats trying to decipher it all out but this is perfect! Exactly what I was looking for. Thank you so much!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
streamstats dc(rule) as count by USERNAME | where count>2
will give you the events where the user is seen in the 3 alerts, then you could pipe into the stats command if you want to do further computing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
user3 shows 1 hit, I looked through the logs and only find user3 in alert3 (no hits for alert1 and alert2). I don't think it's working. Can you take a look?
index=tool rule=alert* | rex field=Message "(?(?<=;)[^;]*(?=;))" | streamstats dc(rule) as count by USERNAME | where count>2 | stats count by USERNAME
output:
user1 15
user2 3
user3 1
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
