Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if certain events occurs N consecutive times?

SplunkExplorer
Contributor
‎06-21-2023 12:43 AM

Hi Splunkers, I have to build a rule, based on Windows Logs (XML ones), that must check this:

Notify me is there are at least 3 consecutive occurreces of EventID 4776 from a list of host. Tje desiderd output must show:

  • Host
  • Number of consecutive events
  • User/account associated to  events

So for example, if we have that

  • Host A has 4 consecutive events of EventID 4776 for user "Admin"
  • Host B has 19 consecutive events of EventID 4776 for user "Test"
  • Host C has 2 consecutive events of EventID 4776 for user "Joker"
  • Host D has 3 Events of EvenID 4776, but only 2 consecutive; than has another different event and only after this another occurrence of 4776 for user "Hello"

Host C don't match the consecutive count clause and must be escluded; same for Host D, because he has 3 events but not consecutive. The expected output is:

Host User N. of consecutive events
A Admin 4
B Test 19

 

What get me in stuck here is how to check that events are consecutive.Any suggestion?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:44 AM

I think that this is doable with https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats

Just use reset_before/after which suite better for you. 

 

| streamstats reset_before="EventID!=4776" count by host user EventID
| where count > 3

 

 

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-21-2023 06:30 AM

Hi @SplunkExplorer,

let me understand: when you sai consecutive events, are you meaning events in the reference period or that between these events athere isn't any othe event?

In the first case, you can run a simple search like the following :

index=wineventlog Eventcode=4776
| stats count BY host user
| where count>3

if the second the solution is more complex, I''l think to it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎06-21-2023 06:41 AM

Hi @gcusello, it is the second option you mentioned: no other events between the desired one must be present.

For example:

15:00:00: Eventd ID 4776 for user gcusello
15:00:01: Eventd ID 4776 for user gcusello
15:00:02: Eventd ID 4776 for user gcusello

is fine, while:

15:00:00: Eventd ID 4776 for user gcusello
15:00:01: Eventd ID 4776 for user gcusello
15:00:02: Eventd ID 4625 for user gcusello
15:00:03: Eventd ID 4776 for user gcusello

it isn't.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:44 AM

I think that this is doable with https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats

Just use reset_before/after which suite better for you. 

 

| streamstats reset_before="EventID!=4776" count by host user EventID
| where count > 3

 

 

 

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...