Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I group events from three rules by the same field value

DEAD_BEEF
Builder
‎03-15-2016 08:49 AM

I have a tool that generates three different alerts (alert1, alert 2, alert3). In these alerts, it records the username (parsed out via rex). I am having trouble correlating events when all three alerts contain the same username within a 7 day period. Ideally, I would like to create a dashboard that shows me how many times a username has been observed in alert1, alert2, and alert3 (not in each alert, but in all 3).

Which commands should I be looking at to show me when the username in alert1 = alert2 = alert3 ?

Current search query
index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | unknown_query

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-15-2016 10:00 AM

Give this a try

index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-15-2016 10:00 AM

Give this a try

index=tool rule=alert* | rex field=Message "(?<USERNAME>(?<=;)[^;]*(?=;))" | chart count over USERNAME by rule | where alert1>0 AND alert2>0 AND alert3>0
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎03-15-2016 10:18 AM

I have been pouring over another post that you answered regarding streamstats trying to decipher it all out but this is perfect! Exactly what I was looking for. Thank you so much!!

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎03-15-2016 09:02 AM

streamstats dc(rule) as count by USERNAME | where count>2

will give you the events where the user is seen in the 3 alerts, then you could pipe into the stats command if you want to do further computing

0 Karma
Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎03-15-2016 09:15 AM

user3 shows 1 hit, I looked through the logs and only find user3 in alert3 (no hits for alert1 and alert2). I don't think it's working. Can you take a look?

index=tool rule=alert* | rex field=Message "(?(?<=;)[^;]*(?=;))" | streamstats dc(rule) as count by USERNAME | where count>2 | stats count by USERNAME

output:
user1     15
user2     3
user3     1
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...