We're trying to set up an alert for user contacting malware websites constantly. For eg user A attempts to access "malware" category website on day 1, day 2 and day 3, if it has happened on all 3 days then should be flagged.
index=proxy url=* category="malware"
Tried to add below after the base seach but doesn't seem to be creating 3 buckets.
| bin _time bins=3 | stats count by _time
Any help or pointers?
Thanks in advance!!
I have not tried this one yet , but i got some answers for this same issue
You can't set a time retention on hot or warm buckets. Only by size in MB. This is one of my huge gripes in Splunk.
You can use the Monitoring Console to gain some insight into how much data is in your hot/warm directories (x amount of days, for instance). The only time retention I've found is based on moving data from cold into frozen
Link to the original answer : https://answers.splunk.com/answers/501003/could-i-set-the-the-time-limit-on-hotwarm-buckets.html
Below query seems to be giving me answer nearly what we after
index=proxy logs url=* category="malware" | bucket _time span=24h | stats count by _time,user
Results are something like this when I run for 2 days:
_time user count
2018-10-24 10:00 A 1
2018-10-24 10:00 B 11
2018-10-24 10:00 C 3
2018-10-25 10:00 A 1
2018-10-25 10:00 D 9
2018-10-25 10:00 E 10
Now, as we can see that user A has appeared twice in the search, is there a way to display the results only for user A and filter out rest?