Solved: Correaltion Search : Detect if an Acces Apache Log...

yanisA · ‎06-29-2021

Hello,

We need to develop a Correlation Search to implement this algorithm :

If a specific custom event (here tagged as index="custom_app" categorie="custom_log") occures for one user we trigger an alert if there is no access apache log for the same user.

I have tried the following correlation search with trigger conditions : Trigger alert when Number of Results is equal to 0.

index="linux_apache" sourcetype="apache:access:kv"

[search index="custom_app" categorie="custom_log"

| top limit=1 user

| table user]

| table user

| dedup user

Thanks by advance for your help regarding this topic

venkatasri · ‎06-29-2021

Hi @yanisA

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

---

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

venkatasri · ‎06-29-2021

@yanisA Hope it helped, Appreciate if you could Accept solution.

venkatasri · ‎06-29-2021

Hi @yanisA

As i understood you want to return top user to main search linux* and if there is a single table entry then you want to trigger it. You can try following query

index="linux_apache" sourcetype="apache:access:kv"
[search index="custom_app" categorie="custom_log"
| top limit=1 user
| return user]
| stats count by user

---

An upvote would be appreciated and Accept solution if it helps!

yanisA · ‎06-29-2021

Hi @venkatasri ,

Yes that's it ! It seems to work perfectly !

Thank you so much for your help 🙂

Correaltion Search : Detect if an Acces Apache Log exist for a user who has triggered an event

correlation search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life