Deployment Architecture

How do I group events from three rules by the same field value

DEAD_BEEF
Builder

I have a tool that generates three different alerts (alert1, alert 2, alert3). In these alerts, it records the username (parsed out via rex). I am having trouble correlating events when all three alerts contain the same username within a 7 day period. Ideally, I would like to create a dashboard that shows me how many times a username has been observed in alert1, alert2, and alert3 (not in each alert, but in all 3).

Which commands should I be looking at to show me when the username in alert1 = alert2 = alert3 ?

Current search query
index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | unknown_query

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0

DEAD_BEEF
Builder

I have been pouring over another post that you answered regarding streamstats trying to decipher it all out but this is perfect! Exactly what I was looking for. Thank you so much!!

0 Karma

asimagu
Builder

streamstats dc(rule) as count by USERNAME | where count>2

will give you the events where the user is seen in the 3 alerts, then you could pipe into the stats command if you want to do further computing

0 Karma

DEAD_BEEF
Builder

user3 shows 1 hit, I looked through the logs and only find user3 in alert3 (no hits for alert1 and alert2). I don't think it's working. Can you take a look?

index=tool rule=alert* | rex field=Message "(?(?<=;)[^;]*(?=;))" | streamstats dc(rule) as count by USERNAME | where count>2 | stats count by USERNAME

output:
user1     15
user2     3
user3     1
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...