I would like to know expert opinions on how to effectively form a Splunk search which should alert based on two individual events.
I have an event "A" followed by event "B" in the same time frame, both have a common fieldname and I would only want to alert If response_code "field" doesn't match in both events.
Any suggestions?
Ex:
Event A:
20190717153055|365|REQUEST|abc|anonymous|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|401|1512892
Event B: 20190717153056|309|REQUEST|abc|deployer-us|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|201|1512892
I would only want to generate an alert if the response code is 401 and the last field is common among two events. Here is the common field is "1512892".
P.s: the last common field is dynamic and is not always 1512892
Hi
You could try this (paste and follow the comments):
| makeresults count=10
| rename COMMENT as "--- Sample Generated Data ---"
| streamstats count
| eval evnt_type=count
| eval evnt_type=if(evnt_type%2> 0, "A", "B")
| eval random=random() % 300
| streamstats first(random) as random window=2 reset_after=""("match(evnt_type,\"B\")")""
| eval _time=_time - random
| rename random as common_field
| eval Response_code=if(count%5=0, 400, 200)
| eval evnt=strftime(_time, "%Y%m%d%H%M%S")."|...|"."HTTP/1.1"."|".Response_code."|".common_field
| fields - count
| table _time Response_code common_field evnt_type evnt
| rename COMMENT as "--- Stats function ---"
| stats dc(Response_code) as dc_Response_code values(evnt) as evnts by _time common_field
| where dc_Response_code > 1
Cheers!!!
any help is much appreciated thanks 🙂
@jaime.ramirez
I have used "A", "B" just as an example to explain my scenario. I have log files in following format:
20190717153055|365|REQUEST|abc|anonymous|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|401|1512892
20190717153056|309|REQUEST|abc|deployer-us|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|201|1512892
I tried to understand your answer but failed to do so