Splunk Search

Alert when certain event occurs outside of time period of other event

tbrown
Path Finder

I have an event that logs the following 

 

 

.
.
startTime: 2020-07-17T17:48:46Z
endTime: 2020-07-17T17:52:27Z
.
.

 

 

I can pull out the following startTime and endTimes with regex. However, I also have a different event that comes in randomly. Call this the triggerEvent.

I basically want to alert whenever the triggerEvent comes in, provided it is not within the time period(between startTime and endTime) of the previous types of events I described. There may be multiple events over multiple days so I need to check that it doesn't occur during any of those time periods.

Any feedback is appreciated!

 

Labels (2)
Tags (2)
0 Karma
1 Solution

to4kawa
Ultra Champion
index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

 

View solution in original post

to4kawa
Ultra Champion
index=trigger_event [ search index=start_end_event | rex your_regex | eval earliest=strptime(startTime."+0000","%FT%TZ%z"), latest=strptime(endTime."+0000","%FT%TZ%z")
| addinfo | eval timeargs="(earliest=".info_min_time." latest=".earliest.") OR (earlest=".latest." latest=".info_max_time.")"
| return $timeargs]

If there is the event, fire alert.

 

Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...