Splunk Search

Alert on user activity past 7 days and today

wtaylor149
Explorer

I have a need to find a user(s) that have multiple infections over a 7 day period.  Example would be user1 has an infection today, I need to go back 7 days to see if this user has had any other infections.

My thought was to run a subsearch for looking back 7 days to "today at midnight" and find user(s) that have an infection event.  Then, run the same search for "today" (midnight to "now"), and if the user from the sub-search is found and only that user, alert.  I want to combine or display all of the events from both searches.

Example would be:
user1 - events on: (4 events)12/10/2020, (1 event)12/16/2020

user2 - events on: 12/11/2020

user3 - events on 12/10/2020

Run the first search, past 7 days finds all of the above.  The outer search will search for the last 60 minutes and find user1.  I want to alert on and display the 5 events from user1.

This will generate an alert.  Throttling will be done in the alert configs to remove duplicates.

Thanks as always.

Labels (2)
0 Karma

Vijeta
Influencer

@wtaylor149 Please try the search I posted, for you it would be. You can avoid sub-search by using below query.

 

 

index=av_logs sourcetype="av" "Risk_Action"="Virus found" earliest=-8d@d latest=now
| bin span=1h _time|stats count by user Server_Name signature action _time| 
eval flag=if(_time>=now()-(3600*24), 1,0)|eventstats sum(flag) as flag by user| where flag > 0

 

0 Karma

wtaylor149
Explorer

Unfortunately that does not work either.  I'm not sure, but this seems like something so easy.  I just want to run a search for the past 60 minutes, take the user and other field/values and run the same search on 7 days ago and if that same user is found in the logs add those events to the subsearch results.

Tags (1)
0 Karma

Vijeta
Influencer

What is the output you are getting with that search. Also that is for last day and not in last 60 minutes. If you want to check if user was infected in last 60 min, please change span to span=1m instead of span=1h and also change now() - (3600 * 24) to now() - 3600. Also share the result once you update.

0 Karma

wtaylor149
Explorer

I didn't get any results from that search.  The difficult thing is that these events are few and far between.  One day I can see 10 events and then no events for 2 days.  Sorry, I just don't understand why I'm not able to meld the two search results together in one result.  Seems so simple.

0 Karma

Vijeta
Influencer

@wtaylor149 you can do something like, I am considering userswho had an infection in last 7 days and also in last 1 hour. This search needs to run over last 7 days, in case you want to run for users who had infection in last 7 days and today change the time calculation accordingly.

 

<your search> |bin span=1m _time|stats count by user _time| eval flag=if(_time>=now()-3600, 1,0)|eventstats sum(flag) as flag by user| where flag > 0

 

0 Karma

wtaylor149
Explorer

Vijeta, Thanks for the reply.  I'm not sure that search will work.  I'm looking to run a search hourly, looking back one hour.  The search is example below.
In this example my goal is to take the events found in the subsearch and display them along with the events found in the outer search.  I've tried append, appendcols and join on user to get this to work but, depending on the command, I only get the results from the outer search and not both outer and inner search results.  I could have sworn I've done this in the past, but nothing I've tried is working.

index=av_logs sourcetype="av" "Risk_Action"="Virus found" earliest=-1d@d latest=now

| stats count by user Server_Name signature action

| append

[search index=av_logs sourcetype="av" "Risk_Action"="Virus found" earliest=-8d@d latest=-1d@d

| stats count as eventCount values(signature) as signature, values(Server_Name) as Server_Name, values(action) as action by _time user

| fields user signature Server_Name action]

| stats count by _time user Server_Name signature action

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...