Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make sure a saved search covers proper time range

okayal
Explorer
‎11-20-2019 06:58 AM

Hello,

We have a saved search that checks for the occurrence of at least two separate events for each user. For example, say I want to check if a user logs in and logs out within the same hour, a simplified search would be something like this:

index=windows event_id IN ("4624","4625")
| stats dc(event_id) as dc_count by User
| search dc_count>=2

I would save this as an Alert, schedule it to run every hour at the start of the hour, with a time range of the last hour. This works without any problems, however, my concern is as follows. Say a user logs in at the 59 minute mark, then logs out at the 15 minute mark. The alert will not detect it since it will fall under two separate searches times.

One solution I can think of is to change the stats command to a streamstats, then change the time range to the last two hours, keeping the schedule to run every hour:

| streamstats dc(event_id) as dc_count by User time_window=1h

Lastly, apply a throttle by user to avoid duplicate alerts.

However, I feel this solution is kind of ugly and cumbersome, and I was wondering if I am missing an obvious way to solve this.

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎11-23-2019 06:38 PM 
 index=windows event_id IN ("4624","4625") earliest=-2h@h
 | streamstats count(eval(event_id==4625)) AS sessionID BY User
 | stats first(_time) AS _time range(_time) AS duration values(event_id) AS event_id dc(event_id) as eventId_count BY sessionID User
 | where event_id==4624 AND policy_count==1
 | where duration > your_desire_duration_seconds

HI, If you search in the past 2 hours every hour, you will be alerted.

thanks @woodcock , I used your query.  

Reply

woodcock
Esteemed Legend
‎11-23-2019 10:25 PM

You did UpVote, right?

0 Karma
Reply

to4kawa
Ultra Champion
‎11-23-2019 11:41 PM

Roger that.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...