Splunk Search

Can you help me with my query within a query?

mansinchu
New Member

Hi,

I am trying to see if this type of query is possible

I am creating an alert base on 2 conditions.

The first condition must be met and then check the second condition

First Condition: tid result be unique and more than 4 results return
Second Condition: host must be unique and must be more than 1 hosts

Query:

("ERROR")|dedup tid|eval hostname=substr(host,1,5)

It will return something like this

Original host name is

londn1
londn2
eurpn1
eurpn2

The eval will give me

londn and eurpn

I am able to get the first condition working. Once I get the first condition met, I will need to check the result to make sure it comes from more than 1 host (without the 1 and 2 in the hostname).

How should I go about this?

Tags (1)
0 Karma

mansinchu
New Member

Thank you.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You don't need to overcomplicate your query. you are just pulling additional information out of what you have already done, not doing another query.

your search
| stats values(host) as host by tid
| where mvcount(host)>3
| mvexpand host
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1

Of course, once you review that code, you really don't need to put it together, pull it all apart and put it back together again.

Just do it this way...

your search
| eval shost=substr(host,1,5)
| stats values(host) as host values(shost) as shost by tid
| where mvcount(shost) > 1 AND mvcount(host)>3
0 Karma

mlevsh
Builder

@DalJeanis

Can we use mvcount to get result requested in the question?
Let's say we have multi-valued field like cve

cve
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892;CVE-2011-1893
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892
CVE-2011-0653;CVE-2011-1252;CVE-2011-1890

Then we can apply
...|eval cvecount=mvcount(split(cve,";))

That will give us result

cvecount cve
6               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892;CVE-2011-1893
5               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890;CVE-2011-1891;CVE-2011-1892
3               CVE-2011-0653;CVE-2011-1252;CVE-2011-1890

@mansinchu , I believe, wants to accomplish the following :

Alert needs to be triggered when number of unique tid values is more than 4 with numbers of unique host values more than one

For example:
These results should trigger the alert : 5 unique tid with 2 unique hosts (londn and eurpn)

host        tid
londn       123
londn        456
eurpn        786
eurpn        910
eurpn        135

These results should not trigger the alert: 4 unique tid values but with just one unique host londh

host        tid
londn       123
londn        456
londn       786
londn        910
londn        135
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!