Splunk Search

How to get results from last week's data but only if there is a new returned result from last 24h?

evallja
Path Finder

Hello everyone,

I'm trying to schedule an alert looking like this: index=network host=device1 | stats count by sourceip | where count > 2 (last 7 days).

I will schedule it daily and I want it to search the last 7 days to see if an  IP is found more than 2 times and return events like the below:

            sourceip         count

1   162.14.xxx.xxx       5
2   185.225.xxx.xxx    7
3   203.122.xxx.xxx    3
4   61.246.xxx.xxx       6

The problem is that the next day I don't want to see the same results if there is no new data from a new IP from the last 24h.
So I need to add a condition that will only allow the search to return results if a new returned result (where count > 2) is added to the results last 24h.

Do you have any suggestions?

Thank you in advance.

Labels (1)
0 Karma
1 Solution

evallja
Path Finder

Thank you for your reply @ITWhisperer , it was very helpful. I modified two little things like below and now it is working perfectly:

index=network host=device1 earliest=-7d@d latest=@d
  [ search index=network host=device1 earliest=-24h@h latest=@h
    | fields sourceip]
| stats count by sourceip 
| where count > 2

Best regards.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=network host=device1 earliest=-7d@d latest=@d
  [ index=network host=device1 earliest=-24h@h latest=@h
    | dedup sourceip
    | fields sourceip]
| stats count by sourceip 
| where count > 2

evallja
Path Finder

Thank you for your reply @ITWhisperer , it was very helpful. I modified two little things like below and now it is working perfectly:

index=network host=device1 earliest=-7d@d latest=@d
  [ search index=network host=device1 earliest=-24h@h latest=@h
    | fields sourceip]
| stats count by sourceip 
| where count > 2

Best regards.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...