- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- i need search query for status change hear when th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
event status : False positive (25 may)
False positive (24 may)
Investigating (23 may)
Investigating (22 may)
Service degradation (21 may)
Hear status changed Service degradation to investigating then alert wants to raised
then status changed investigating to investigating then alert is not raised.
then status changed from investigating to false positive then alert wants raised.
dash board query:
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval myTimeNewEpoch=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| eval UpdatedTime=strftime(myTimeNewEpoch,"%Y-%m-%d %H:%M:%S")
| table LastUpdatedTime DisplayName Status Description
| rename UpdatedTime as Time DisplayName as Application
| sort -Time
please help me with the query to create the alert
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval _time=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| rename DisplayName as Application
| table _time Application Status Description
| sort _time
| autoregress Status as Status_p
| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")
| eval _time=strftime(_time, "%F %T")
If event count > 0 , fire alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="mail_activity" sourcetype="service:message" DisplayName="Exchange Online"
| eval _time=strptime(UpdatedTime,"%Y-%m-%dT%H:%M:%S")
| rename DisplayName as Application
| table _time Application Status Description
| sort _time
| autoregress Status as Status_p
| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")
| eval _time=strftime(_time, "%F %T")
If event count > 0 , fire alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tanks for your answer to4kawa but its not giving any results
hear my requirement is:
if 22nd and 23rd is same status then it will pick 22nd event only
and then 23rd and 24th are different status at that time it will pick 23rd and 24th events as well
and 24th, 25th same status so it will pick 24th one only
(simply when ever status change at that time it will pick the event other wise it will not pick the same event again and again )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its not giving any results
What's this?
You are going to fire alert at status changing. aren't you?
Alerting and pick events are different. which do you want?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actual requirement is when status field values are changed from one to another alert needs to be triggered
below are the status field values
Extended recovery
Investigation suspended
False positive
Investigating
Service degradation
Service restored
Restoring service
Post-incident report published
Ex: if status field value from false positive to investigating then alert should be triggered
If field value false positive to false positive then no alert should be triggered.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| where (Status="investigating" AND Status_p="Service degradation") OR (Status="false positive" AND Status_p="investigating")
→
| where Status!=Status_p
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hear my condition is we have a 8 status values is if status1 is the latest event then it compare with the up coming events like status2,status3 etc.... status8
If the latest status1==up coming status then no alarm raise
If the new(up coming status) latest status1!=up coming status then alarm raise
(every time it compare with the latest event to up coming event if latest and up coming events are same no alarm then alarm)
Thanks In Advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer but it didn't give any statistic value but it has given results in verbose mode i think we need to compare with latest status value and before that latest status value
if latest status and before latest value will be same no alarm raise if it is different alarm should be raise
EX: latest status=Extended recovery
before latest status= Investigation suspended
Extended recovery==Extended recovery (no alert)
Extended recovery== Investigation suspended (alert raise)
(Every time it pick the latest event and compare with all other event values if latest and coming events are same no alert , if latest and coming events are different then raise alert )
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
