Hello All,
I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened <= one second from each other).
Current search as an example example:
sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | stats values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount > 1
What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.
Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.
Any ideas?
Hi thisissplunk,
Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.
Hope this helps!
Hi thisissplunk,
Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.
Hope this helps!
The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.
I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".
sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers > 1