Splunk Search

How to generate alert from two different events in same index and same source

Engager

I would like to know expert opinions on how to effectively form a Splunk search which should alert based on two individual events.
I have an event "A" followed by event "B" in the same time frame, both have a common fieldname and I would only want to alert If response_code "field" doesn't match in both events.
Any suggestions?

Ex:
Event A:

20190717153055|365|REQUEST|abc|anonymous|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|401|1512892
Event B: 20190717153056|309|REQUEST|abc|deployer-us|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|201|1512892

I would only want to generate an alert if the response code is 401 and the last field is common among two events. Here is the common field is "1512892".

P.s: the last common field is dynamic and is not always 1512892

0 Karma

Communicator

Hi

You could try this (paste and follow the comments):

| makeresults count=10 
| rename COMMENT as "--- Sample Generated Data ---"
| streamstats count 
| eval evnt_type=count 
| eval evnt_type=if(evnt_type%2> 0, "A", "B") 
| eval random=random() % 300 
| streamstats first(random) as random window=2 reset_after=""("match(evnt_type,\"B\")")"" 
| eval _time=_time - random 
| rename random as common_field 
| eval Response_code=if(count%5=0, 400, 200) 
| eval evnt=strftime(_time, "%Y%m%d%H%M%S")."|...|"."HTTP/1.1"."|".Response_code."|".common_field
| fields - count
| table _time Response_code common_field  evnt_type evnt
| rename COMMENT as "--- Stats function ---"
| stats dc(Response_code) as dc_Response_code values(evnt) as evnts by _time common_field
| where dc_Response_code > 1

Cheers!!!

0 Karma

Engager

any help is much appreciated thanks 🙂

0 Karma

Engager

@jaime.ramirez
I have used "A", "B" just as an example to explain my scenario. I have log files in following format:
20190717153055|365|REQUEST|abc|anonymous|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|401|1512892
20190717153056|309|REQUEST|abc|deployer-us|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|201|1512892

I tried to understand your answer but failed to do so

0 Karma