I would like to know expert opinions on how to effectively form a Splunk search which should alert based on two individual events.
I have an event "A" followed by event "B" in the same time frame, both have a common fieldname and I would only want to alert If response_code "field" doesn't match in both events.
20190717153055|365|REQUEST|abc|anonymous|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|401|1512892 Event B: 20190717153056|309|REQUEST|abc|deployer-us|PUT|/xxx/xxx/xxx/xx/abc.zip|HTTP/1.1|201|1512892
I would only want to generate an alert if the response code is 401 and the last field is common among two events. Here is the common field is "1512892".
P.s: the last common field is dynamic and is not always 1512892
You could try this (paste and follow the comments):
| makeresults count=10 | rename COMMENT as "--- Sample Generated Data ---" | streamstats count | eval evnt_type=count | eval evnt_type=if(evnt_type%2> 0, "A", "B") | eval random=random() % 300 | streamstats first(random) as random window=2 reset_after=""("match(evnt_type,\"B\")")"" | eval _time=_time - random | rename random as common_field | eval Response_code=if(count%5=0, 400, 200) | eval evnt=strftime(_time, "%Y%m%d%H%M%S")."|...|"."HTTP/1.1"."|".Response_code."|".common_field | fields - count | table _time Response_code common_field evnt_type evnt | rename COMMENT as "--- Stats function ---" | stats dc(Response_code) as dc_Response_code values(evnt) as evnts by _time common_field | where dc_Response_code > 1
I have used "A", "B" just as an example to explain my scenario. I have log files in following format:
I tried to understand your answer but failed to do so