Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if certain events occurs N consecutive times?

SplunkExplorer
Contributor
‎06-21-2023 12:43 AM

Hi Splunkers, I have to build a rule, based on Windows Logs (XML ones), that must check this:

Notify me is there are at least 3 consecutive occurreces of EventID 4776 from a list of host. Tje desiderd output must show:

  • Host
  • Number of consecutive events
  • User/account associated to  events

So for example, if we have that

  • Host A has 4 consecutive events of EventID 4776 for user "Admin"
  • Host B has 19 consecutive events of EventID 4776 for user "Test"
  • Host C has 2 consecutive events of EventID 4776 for user "Joker"
  • Host D has 3 Events of EvenID 4776, but only 2 consecutive; than has another different event and only after this another occurrence of 4776 for user "Hello"

Host C don't match the consecutive count clause and must be escluded; same for Host D, because he has 3 events but not consecutive. The expected output is:

Host User N. of consecutive events
A Admin 4
B Test 19

 

What get me in stuck here is how to check that events are consecutive.Any suggestion?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:44 AM

I think that this is doable with https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats

Just use reset_before/after which suite better for you. 

 

| streamstats reset_before="EventID!=4776" count by host user EventID
| where count > 3

 

 

 

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-21-2023 06:30 AM

Hi @SplunkExplorer,

let me understand: when you sai consecutive events, are you meaning events in the reference period or that between these events athere isn't any othe event?

In the first case, you can run a simple search like the following :

index=wineventlog Eventcode=4776
| stats count BY host user
| where count>3

if the second the solution is more complex, I''l think to it.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SplunkExplorer
Contributor
‎06-21-2023 06:41 AM

Hi @gcusello, it is the second option you mentioned: no other events between the desired one must be present.

For example:

15:00:00: Eventd ID 4776 for user gcusello
15:00:01: Eventd ID 4776 for user gcusello
15:00:02: Eventd ID 4776 for user gcusello

is fine, while:

15:00:00: Eventd ID 4776 for user gcusello
15:00:01: Eventd ID 4776 for user gcusello
15:00:02: Eventd ID 4625 for user gcusello
15:00:03: Eventd ID 4776 for user gcusello

it isn't.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-21-2023 06:44 AM

I think that this is doable with https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Streamstats

Just use reset_before/after which suite better for you. 

 

| streamstats reset_before="EventID!=4776" count by host user EventID
| where count > 3

 

 

 

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...